https://segmentfault.com/q/1010000005618139
When Vue Ajax gets the data, how to ensure the security of the passed parameters or how to protect the API
Click Submit to send the request.
But api:123 is used to encrypt the parameters, directly exposed. Right-click on the source code to see
<body><divclass= "Row" > <divclass= "Col-md-4 col-md-offset-4" > <tableclass= "Table table-bordered" id= "Content" > <tr> <td>Product Categories</td> <td> <select name= "CID" v-model= "CID" > &L T;template V- for= "Vo in goodscategory" > <option v-bind:value= "vo.goodscategory_id" >{{vo.goodscategory_name }}</option> </template> </select>{{CID}}</td> </tr> <tr> <td style= "width:30%" >Product Name</td> <td> <input type= "text" name= "name" v-model= "Goodsname" value= ""/> <span>{{goodsname}}</span> </td> </tr> <tr> <td>Sort</td> <td> <input type= "text" name= "sort" v-model= "sort"/> {{Sort}} </td> </tr> <tr> <td>Price</td> <td> <input type= "text" v-model= "Price"/>{{price}}</td> </tr> <tr> <td>Product Description</td> <td> <textarea name= "desc" id= "cols=" "rows=" 5 "v-model=" desc "& Gt;</textarea>{{desc}}</td> </tr> <tr> <td colspan= "2" > <butt On type= "button" v-on:click= "submit" > Submit </button> </td> </tr> </ta ble> </div></div><script type= "Text/javascript" >varVM =NewVue ({el: "#content",Data:{CID70AGoodsname:"",Sort70A Price70Adesc:"",goodscategory:[] },Methods:{Submit:function() { this.$http({URL: ' Http://localhost/wang/index.php/Admin/Goods/createProcess ',Method: ' POST ',Emulatejson:true,Data:{CID: This.cid,name: This.goodsname,Sort: this.Sort, Price: This.price,desc: this.desc}}). Then (function(response) {Console.Log(Response.data); },function(response) {}); } }, Ready:function() { varSelf =This ; this.$http({url: ' Http://localhost/wang/index.php/Home/Vue/goodscategory ', Method: ' POST '}). Then (function(response) { self.$set(' Goodscategory ', response.data)},function(response) {//Error Callback }); } })</script>
< Span class= "Hljs-tag" > solution:
1. Interface Service-party input Control
2. Parameter legality check
3.HTTPS
4.CSRFToken Security check
/span>
This is transparent to the user, the precautionary idea:
1. Service-side Csrftoken check
2.refer Checksum
3. Frequency control for the same user
Output response before the server to SessionID obfuscation prefix and encryption (MD5), buried in the HTML hidden <input/>, all requests Defa this word to the server, checksum is equal
Judge $_request[' Referer '] to determine if this field is either empty or not the domain name you want two
Are there any secrets to this kind of API for viewing data? If there is a secret, it should be in the API authentication efforts, such as the request to access the API must login ah, or have the appropriate permissions ah what.
Otherwise, if it is only the public data, it is also to people to see, that can withstand it?
One more thing you don't know, information security focuses on information, but you understand it as a channel to get information.
API does not prevent others from knowing your API, and prevents others from illegally accessing the data inside your API.
So Vue is a project that stores user status with session or cookie.
When is HTTPS encrypting data?
First, session
there is something on the server that stores the user state. cookie
is something that saves data on the client. The two are not the same thing at all.
But usually we use, in the client with the cookie
save one sessionID
, the user every request to the backend with this, the backend received the sessionID
request based on this sessionID
again from the cache, regardless memcached
of caching tools, or the like to take out the corresponding session
data use.
https
is the protocol layer of things, usually the company's operations, it engineers to fix, of course, if you do need to understand, you can check the information online
When Vue Ajax gets the data, how to ensure the security of the passed parameters or how to protect the API