HTML interacts with PHP with Ajax (Restful API)

Source: Internet
Author: User
Tags csrf attack
Because the mobile side and the PC-side API are shared, you want to do this.
HTML interacts with PHP in the form of Ajax (Restful API).
1. How to ensure security?
2. What is there to pay attention to?
3. How can I prevent the request from being maxed out by others?

Or, what are the advantages and disadvantages compared to MVC?

Reply content:

Because the mobile side and the PC-side API are shared, you want to do this.
HTML interacts with PHP in the form of Ajax (Restful API).
1. How to ensure security?
2. What is there to pay attention to?
3. How can I prevent the request from being maxed out by others?

Or, what are the advantages and disadvantages compared to MVC?

1. Security
Web-related things, security is universal, and you do not have to solve the problem of the method.
For example, the input check, the normal check is two-step (browser, server), then for the API-style design, as a direct request, the server for incoming data need to be strictly verified.
Again, such as access rights. Although the API is directly exposed to access, it can provide additional required parameters as access control. The source and mode of the parameter depends on you.

2, what should pay attention to the place?
The problem is really too wide.

3. Blow Brush
In fact, this can be included in question 1.
If you pass in a key value as an extra parameter, limit the number of times that the key will be accessed. This is just a simple way to deal with it.
However, this approach does not work if a suspected CSRF attack is encountered.

In fact, any Web application can be captured by packet analysis, and then interpreted as a "pseudo-API" (non-specialized words), and then to make requests for results. Reptiles are basically the law.
So the point of attention needed is (in fact, the answer to question 2)
1. Security
Security policies for issues such as permissions on the system itself
Security guard from attack
2. Crawler
Anti-crawler-related technology.

Security issues: If your data level is high, use HTTPS.
Anti-brush: server-side Multi-IP throttling. Customer service side can use JS to do some encryption string. can also be put on the brush (but will be cracked, Google's passport is also doing so.) Only his JS algorithm is very difficult).

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.