I am about to start working on a project, which is basically a web interface for a mobile banking application. The API is ready, I only need to provide the frontend part of the web application. I was going to make it using Backbone/Angular/Ember, but started to worry about the security.
我即将开始研究一个项目,它基本上是一个移动银行应用程序的Web界面。 API准备就绪,我只需要提供Web应用程序的前端部分。我打算使用Backbone / Angular / Ember,但开始担心安全问题。
Particularly, the following. As a rule, every API request must contain a parameter method_code, which is calculated as hash of user token, method name and secret API key. If I put the logic of how this param is calculated into one of .js files, anyone could potentially access some sensitive data using tools like Postman or even browser console. How should I go about this issue? I could have a server-side script generating the method_code for me, but is it possible to make it accessible only to my web app's requests?
特别是以下。通常,每个API请求必须包含一个参数method_code,该参数计算为用户令牌,方法名称和秘密API密钥的哈希值。如果我将这个参数计算的逻辑放入.js文件之一,任何人都可能使用Postman甚至浏览器控制台等工具访问某些敏感数据。我应该怎么解决这个问题?我可以有一个服务器端脚本为我生成method_code,但它是否可以只访问我的Web应用程序的请求?
2 个解决方案
#1
3
every API request must contain a parameter method_code, which is calculated as hash of user token, method name and secret API key
每个API请求必须包含一个参数method_code,它被计算为用户令牌,方法名称和秘密API密钥的哈希值
I could have a server-side script generating the method_code for me, but is it possible to make it accessible only to my web app's requests?
我可以有一个服务器端脚本为我生成method_code,但它是否可以只访问我的Web应用程序的请求?
Yes, the server-side script would be the way to go if you do not want to expose the secret API key within your client side code or request data.
是的,如果您不想在客户端代码或请求数据中公开秘密API密钥,那么服务器端脚本将是您的选择。
User token can (presumably) come from the user's session cookie value? So simply have a server side method that takes the method name and then returns the method_code calculated from the secret API key (kept server side only) and the user token.
用户令牌(可能)来自用户的会话cookie值?因此,只需使用服务器端方法获取方法名称,然后返回从秘密API密钥(仅保留服务器端)和用户令牌计算的method_code。
The Same Origin Policy will prevent another domain making a request to your API and retreiving the method_code. I'm also assuming the API and front-end code runs on the same domain here, although if this is not the case you can use CORS to allow your front-end code to read and retreive data client-side via the API.
同源策略将阻止另一个域向您的API发出请求并检索method_code。我也假设API和前端代码在这里运行在同一个域上,但如果不是这种情况,您可以使用CORS允许您的前端代码通过API读取和检索客户端数据。
#2
0
You can try to generate a token based on security factors and encrypt that and use it in your requests to identify your clients and valid requests.
您可以尝试根据安全因素生成令牌并对其进行加密,并在请求中使用它来识别您的客户端和有效请求。
#1
3
every API request must contain a parameter method_code, which is calculated as hash of user token, method name and secret API key
每个API请求必须包含一个参数method_code,它被计算为用户令牌,方法名称和秘密API密钥的哈希值
I could have a server-side script generating the method_code for me, but is it possible to make it accessible only to my web app's requests?
我可以有一个服务器端脚本为我生成method_code,但它是否可以只访问我的Web应用程序的请求?
Yes, the server-side script would be the way to go if you do not want to expose the secret API key within your client side code or request data.
是的,如果您不想在客户端代码或请求数据中公开秘密API密钥,那么服务器端脚本将是您的选择。
User token can (presumably) come from the user's session cookie value? So simply have a server side method that takes the method name and then returns the method_code calculated from the secret API key (kept server side only) and the user token.
用户令牌(可能)来自用户的会话cookie值?因此,只需使用服务器端方法获取方法名称,然后返回从秘密API密钥(仅保留服务器端)和用户令牌计算的method_code。
The Same Origin Policy will prevent another domain making a request to your API and retreiving the method_code. I'm also assuming the API and front-end code runs on the same domain here, although if this is not the case you can use CORS to allow your front-end code to read and retreive data client-side via the API.
同源策略将阻止另一个域向您的API发出请求并检索method_code。我也假设API和前端代码在这里运行在同一个域上,但如果不是这种情况,您可以使用CORS允许您的前端代码通过API读取和检索客户端数据。
#2
0
You can try to generate a token based on security factors and encrypt that and use it in your requests to identify your clients and valid requests.
您可以尝试根据安全因素生成令牌并对其进行加密,并在请求中使用它来识别您的客户端和有效请求。