Currently mobile popular, this article mainly introduce myself (novice) development and app docking server to share. Please correct me for the shortcomings.
The site interface to the app is mapped to an extranet (that is, the external network can directly access the interface Project), which takes into account the project's data confidentiality and some validation.
The following techniques have been used in the interfaces I am currently doing:
1: Data encryption/decryption: Data in the transfer process needs to be encrypted to effectively protect the security of the data (my project uses the. NET Framwork AES plus decryption)
2: Signature Verification: That is, the application side of the data irreversible encryption and placed in the header of the HTTP request, the server to obtain the data using the same irreversible encryption method to obtain ciphertext, the application of ciphertext and service-side resolution of the ciphertext to match (to a certain extent, the protection of data is not tampered with)
3: Timestamp verification: The app side adds timestamp data to the HTTP request, the server gets the timestamp, verifies the timestamp of the app and the time stamp set by the servers, and prevents replay attack.
4: Log-in time verification: a unique token verification code is stored in the database each time it is logged in, and the token is returned to the app, each time the app requests data to verify that token is obsolete, and if it is outdated to log in again
Unified handling of the above validation recommendations during the project development process
1: Unified parameter decryption and verification when request data enters
Method: Unified decryption Webapi Project can inherit class Messageprocessinghandler and override ProcessRequest and ProcessResponse methods
Decryption of data in the ProcessRequest method
Encryption of data in the ProcessResponse method
2. Data validation inherits the class Delegatinghandler, and overrides the SendAsync method for data validation, typically if the validation results directly from the return base. SendAsync (request, token); That is, the final effect is to distribute the message to the corresponding interface for processing
If verification does not pass directly the information can be directly returned by the following way
<summary>
Return client Error message
</summary>
<param name= "Request" >http requests </param>
<param name= "Needencrypt" > whether to encrypt the response information </param>
<param name= "ErrorMessage" > Error Messages </param>
<returns>
An error message returned asynchronously
</returns>
Private taskBOOL Needencrypt,
String errormessage = "Request parameter Error")
{
Logging of Bad Request logs
Logerrorrequest (Request);
Generating an error response message
var response = new Httpresponsemessage ();
var error = Jsonconvert.serializeobject (new Apiresult () {Message = errormessage});
Response. Content = new Stringcontent (Error, Encoding.GetEncoding ("UTF-8"), "Application/json");
Response. StatusCode = System.Net.HttpStatusCode.OK;
if (Needencrypt)
Response. CONTENT.HEADERS.ADD ("Toencrypt", "" ");
return task}
WEBAPI service-side docking app