Javascript-how to prevent a third-party website from calling the website's backend interface without permission

For websites with completely separated front and back ends, the backend uses PHPJavaPython to output json-format data to the front end, and the front end uses ajax to call the back-end interface to obtain data. In this case, if the backend interface does not take certain protection measures, it is easy for others to call the interface maliciously to do something illegal... for websites with completely separated front and back ends, the backend uses PHP/Java/Python to output json-format data to the front end, while the front end uses ajax to call the back-end interface to obtain data. In this case, if the backend interface does not take certain protection measures, it is easy to be maliciously called by others for some illegal operations. So what are the mainstream back-end interface protection practices in this completely isolated front-end and back-end website architecture?

Reply content:

For websites with completely separated front and back ends, the backend uses PHP/Java/Python to output json-format data to the front end, while the front end uses ajax to call the back-end interface to obtain data. In this case, if the backend interface does not take certain protection measures, it is easy to be maliciously called by others for some illegal operations. So what are the mainstream back-end interface protection practices in this completely isolated front-end and back-end website architecture?

1) issue a verification Key to your API users, and encode the requested data content according to the rules defined by both parties and the Key. The backend obtains the request and decodes it to check whether it meets expectations, set the Access frequency of each Key ~~
The content does not meet the expectation and the response is rejected directly.
Too frequent access, so this user is not allowed to access within a certain period of time ~~~

2) You can also issue an SSH private key/Public Key to ensure that ~~~

UseAccess-Control-Allow-OriginHeader and csrf token.
If you want to limit the number of times, you can also add it to headers.X-RateLimit-LimitAndX-RateLimit-RemainingTo control access

At present, my idea is to limit the frequency of operations, because no matter how you do it, the script developed by Chrome plug-in can always bypass all the restrictions using your user experience requirements.

At the same time, we recommend that you control the Open api permissions, for example

Http://api.xxx.com/customer/user/get? Id = 12345

Do not design this api to replace the id at will to query all user information. In the filter, perform authentication verification on the input id and the login user information maintained in the session.

If this page is designed to be a static page that can be viewed without user logon, we recommend that you do not use a solution to implement this page. It is difficult to perform SEQ and CDN-based operations.

Let's give you a simple solution: determine whether the request source is ajax. If not, reject the request. Therefore, ajax requests can be counted. If requests are too frequent per unit time, requests are forbidden (this will arbitrarily block the situation of a large company behind an IP address ).

If ajax is used, you cannot determine whether the request is malicious, because it is likely to actually come from your own page.

Perform a token verification. When the frontend needs to call the backend interface, just upload an encrypted token.

It is generally a token, and there is a source... This kills one piece.

Backend verification is the most important thing.
The transferred data can be encrypted using js, which slightly increases the difficulty of packet capture.

I have been thinking about this issue recently.

Try Oauth Verification

How can I obtain data if no session is recorded on the backend?

Later, I thought about it. Some data is not very sensitive and can be loaded without logon. If it is sensitive data, it can be called asynchronously after the user logs on.

Verification Code, session, and ip address restriction can all be done...

What you see is what you get.

The stateless feature of http makes it impossible for a third party to call your background services. The methods mentioned above have some functions, including crsf, interface call frequency, and user behavior analysis. In some aspects, they can only increase the difficulty of third-party calls.

12306 websites are the best examples.

You can use session to log on to data. If you do not need to log on, you can use the parameter key time for authentication.

 test.php?a=1&b=2&time=12345678&code=xxxx

Xxxx is the authentication code. You can simply use md5 (a1b2time12345678passwd), that is, the parameter list, the current time, And the password. You can use multiple passwords, that is, one client and one password. Each client sends an appid, that is, adding a parameter,

`test.php?appid=1&a=1&b=2&time=12345678&code=xxxx`，

In this way, you can change the password of a client at any time or discard a client request.

Illegal access is usually solved by authentication. There are many methods, such as session and oauth.
For valid authenticated access, the frequency and frequency of access are usually limited. Various API frameworks are supported, such as the throttling of Django restframework.
For access to DOS, you usually need to control the front-end, such as configuring rate limit on nginx.

Perform a token verification by referring to the major open interfaces. Each request must undergo verification. It will not be called at will.

HTTP requests support authentication. You can use base auth for access identity authentication, or use oau2to authenticate requests.

For details about lz, refer to the js interface.