The front-end JS Ajax calls PHP Write API interface, how to card master security, prevent illegal call it?
Reply content:
The front-end JS Ajax calls PHP Write API interface, how to card master security, prevent illegal call it?
I encountered the problem of the Lord in a WebApp project. Because APIs are prepared for apps, interacting with Ajax and APIs in WebApp also has to be used when interacting with the API.
When making a request to the API, there are two possible scenarios, one being a user login and one that is not logged in. In either case, the following is the way to go, but use different tokens when using tokens. The login user uses the Nonce token generated by the server at login, which is unique, while the user app is not logged in when the request is carried by a service-side and client-agreed token (as confidential as possible).
In the API design, as much as possible to follow the restful style, so in the submission of information, the token used for authentication is placed in the header, token authentication is designed I am the idea:
App login, the server creates tokens (token is encrypted string, can be decrypted, decrypted data contains login user information or non-user signed in the state of the agreed token), and the app and server side of the time difference in the Redis, and return the token to App,app to save it locally, using HTML5 's localstorage to easily
When the app requests the API interface, it passes in a access_token, which is access_token by token and timestamp, guaranteeing that each access_token is different, this Access_ Token is valid for a short period of time, as long as it is guaranteed to be effective in the case of the net speed comparison slag
After receiving this access_token, the service side, after decryption, extracts the data from the corresponding token from the Redis, compares the time difference, considers that it is invalid, and obtains the token corresponding to the USER_ID or whether the token is the agreed value.
This idea can:
Deny illegal calls that don't carry Access_token
Prevent inadvertent crawling to a access_token and want to use the Access_token for a massive Attack
Of course, encryption and decryption here will sacrifice some performance, this is just one of my ideas.
CSRF token
Token technology can be used to avoid being called by third-party programs
Lily, please.
Token encryption backend After the token and the code to write the value of the encrypted data to compare and judge
Plus a token and back-end fit, pure front end solution I'd like to know if there's any.
Thank you, and I answered this question a little bit like, directly connected to the https://segmentfault.com/q/1010000005057679?_ea=768330
JWT Token + HTTPS
Plus signature and other means is basically to improve the illegal call difficulty just, really want to play you have no eggs to use. Above said HTTPS, also can only prevent other user's authorization information leaks, a little useful
It is generally said that the token I am useless I use the anti-theft chain.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.