javascript 对服务器的安全 ajax GET/POST 请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29883223/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Secure ajax GET/POST request for server
提问by Dima Gimburg
suppose I work with some kind of API and my file server.phphandles the connection to the API service. on my client side I use AJAX call like this:
假设我使用某种 API 并且我的文件server.php处理与 API 服务的连接。在我的客户端,我使用这样的 AJAX 调用:
$http({
url : 'server/server.php',
method : 'GET',
data : { getContent : true }
});
in my server.php I handle it like this:
在我的 server.php 中,我是这样处理的:
if(isset($_GET['getContent'])){
$content = get_content();
}
function get_content(){...}
i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data? how can i secure it and make sure only calls from my application will get the relevant data back?
我只是想知道是什么阻止任何人使用相同的 getContent 参数发送 AJAX 调用并获取我的所有数据?我如何保护它并确保只有来自我的应用程序的调用才能取回相关数据?
thank you!
谢谢!
回答by FakirTrappedInCode
I guess you are concerned about CSRF attacks. Read more about this here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
我猜您担心 CSRF 攻击。在此处阅读更多相关信息:https: //www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
One of the mostly used option to secure your request will be: - Generate a token and send it with the request for a session. This token can be identified by your WebServer as originating from a specific client for a specific session
保护您的请求的最常用选项之一是: - 生成令牌并将其与会话请求一起发送。您的 WebServer 可以将此令牌标识为源自特定会话的特定客户端
回答by sitilge
i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data?
我只是想知道是什么阻止任何人使用相同的 getContent 参数发送 AJAX 调用并获取我的所有数据?
Nothing. This URL is public thus anyone can make requests to it.
没有什么。这个 URL 是公开的,因此任何人都可以向它发出请求。
how can i secure it and make sure only calls from my application will get the relevant data back?
我如何保护它并确保只有来自我的应用程序的调用才能取回相关数据?
You can pass additional data (for example, some hashed value) that is verified on the server side.
您可以传递在服务器端验证的其他数据(例如,一些散列值)。
$http({
url : 'server/server.php',
method : 'GET',
data : { getContent : true, hash : '0800fc577294c34e0b28ad2839435945' }
});
and
和
if(isset($_GET['getContent']))
{
if(isset($_GET['hash']) && validateHash($_GET['hash']))
{
$content = get_content();
}
}
function get_content(){...}
回答by Quentin
i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data?
我只是想知道是什么阻止任何人使用相同的 getContent 参数发送 AJAX 调用并获取我的所有数据?
The same way you would protect the data in any other request (e.g. with user authentication). There's nothing special about Ajax in regards to HTTP as far as the server is concerned.
与保护任何其他请求中的数据的方式相同(例如,使用用户身份验证)。就服务器而言,Ajax 在 HTTP 方面没有什么特别之处。
how can i secure it and make sure only calls from my application will get the relevant data back?
我如何保护它并确保只有来自我的应用程序的调用才能取回相关数据?
You can't. The user can always inspect what their browser is asking the server for and replicate it.
你不能。用户总是可以检查他们的浏览器向服务器询问什么并复制它。
Generally, people authenticate users rather than applications.
通常,人们对用户而不是应用程序进行身份验证。
