Rails跨域请求安全性问题

时间:2021-12-14 15:31:18

I am developing a Rails app which relies on a lot of jQuery AJAX requests to the server, in the form of JSONs. The app has no authentication (it is open to the public). The data in these requests is not sensitive in small chunks, but I want to avoid external agents from having access to the data, or automating requests (because of the server load and because of the data itself).

我正在开发一个Rails应用程序,它依赖大量jQuery AJAX请求到服务器,以JSONs的形式。该应用程序没有身份验证(对公众开放)。这些请求中的数据在小块中不敏感,但我希望避免外部代理访问数据或使请求自动化(因为服务器负载和数据本身)。

I would ideally like to include some kind of authentication whereby only requests can only be made from javascript in the same domain (i.e. clients on my website), but I don't how or if this can be done. I am also thinking about encrypting the query strings and/or the responses.

理想情况下,我希望包含某种身份验证,即只有在同一域中的javascript才能发出请求(例如,我的网站上的客户端),但我不知道如何或是否可以这样做。我还在考虑加密查询字符串和/或响应。

Thank you.

谢谢你!

4 个解决方案

#1


1  

What do you mean only your app should request these JSONs? A client will eventually have to trigger an event, otherwise no request will be sent to the server.

你的意思是只有你的应用应该要求这些JSONs?客户机最终必须触发事件,否则不会向服务器发送请求。

Look at the source code of any of your app's pages. You will notice an authenticity token, generated by the protect_from_forgery method in your application controller - from the api:

查看应用程序的任何页面的源代码。您将注意到在您的应用程序控制器中由protect_from_forgery方法生成的一个真实令牌——来自api:

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

By default, this is enabled and included in your application controller.

默认情况下,这是启用的,并包含在应用程序控制器中。

If you really need to check whether a request comes from your own IP, have a look at this great question.

如果您确实需要检查请求是否来自您自己的IP,请查看这个伟大的问题。

#2


1  

I want to avoid external agents from having access to the data... because of the server load and because of the data itself.
  1. If you're really concerned about security, this other question details how to implement an API key: What's the point of a javascript API key when it can be seen to anyone viewing the js code

    如果您真的关心安全性,那么另一个问题将详细说明如何实现API键:在任何查看js代码的人都能看到javascript API键时,它的意义是什么

  2. You shouldn't solve problems you don't have yet, server load shouldn't be a concern until it actually is a problem. Why don't you monitor server traffic and implement this feature if you notice too much load from other agents?

    您不应该解决尚未解决的问题,服务器负载在真正成为问题之前不应该是一个问题。如果您注意到其他代理的负载太多,为什么不监视服务器流量并实现这个特性呢?

#3


1  

I ended up passing token=$('meta[name=csrf-token]').attr("content")in the request URL and comparing with session[:_csrf_token] in the controller.

最后,我在请求URL中传递了token=$('meta[name=csrf-token]]).attr("content"),并与控制器中的session[:_csrf_token]进行比较。

#4


0  

def check_api
  redirect_to root_url, :alert => 'effoff' unless request.host =~ /yourdomain.com/
end

that should work to check your domain. Not sure you need the js part, but it's something.

这应该可以检查你的域名。不确定是否需要js部分,但它是。

#1


1  

What do you mean only your app should request these JSONs? A client will eventually have to trigger an event, otherwise no request will be sent to the server.

你的意思是只有你的应用应该要求这些JSONs?客户机最终必须触发事件,否则不会向服务器发送请求。

Look at the source code of any of your app's pages. You will notice an authenticity token, generated by the protect_from_forgery method in your application controller - from the api:

查看应用程序的任何页面的源代码。您将注意到在您的应用程序控制器中由protect_from_forgery方法生成的一个真实令牌——来自api:

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

By default, this is enabled and included in your application controller.

默认情况下,这是启用的,并包含在应用程序控制器中。

If you really need to check whether a request comes from your own IP, have a look at this great question.

如果您确实需要检查请求是否来自您自己的IP,请查看这个伟大的问题。

#2


1  

I want to avoid external agents from having access to the data... because of the server load and because of the data itself.
  1. If you're really concerned about security, this other question details how to implement an API key: What's the point of a javascript API key when it can be seen to anyone viewing the js code

    如果您真的关心安全性,那么另一个问题将详细说明如何实现API键:在任何查看js代码的人都能看到javascript API键时,它的意义是什么

  2. You shouldn't solve problems you don't have yet, server load shouldn't be a concern until it actually is a problem. Why don't you monitor server traffic and implement this feature if you notice too much load from other agents?

    您不应该解决尚未解决的问题,服务器负载在真正成为问题之前不应该是一个问题。如果您注意到其他代理的负载太多,为什么不监视服务器流量并实现这个特性呢?

#3


1  

I ended up passing token=$('meta[name=csrf-token]').attr("content")in the request URL and comparing with session[:_csrf_token] in the controller.

最后,我在请求URL中传递了token=$('meta[name=csrf-token]]).attr("content"),并与控制器中的session[:_csrf_token]进行比较。

#4


0  

def check_api
  redirect_to root_url, :alert => 'effoff' unless request.host =~ /yourdomain.com/
end

that should work to check your domain. Not sure you need the js part, but it's something.

这应该可以检查你的域名。不确定是否需要js部分,但它是。