POST信用卡数据从View到Controller是否安全?

时间:2022-01-24 17:03:37

Need to submit some CC data from the View to the Controller where it will be processed, can I just POST it or is there some common way of securing the data in transit?

需要将View中的一些CC数据提交给控制器进行处理,我可以只发布它还是有一些常用的方法来保护传输中的数据?

3 个解决方案

#1


12  

Post the data using SSL.

使用SSL发布数据。

Here's a good resource on setting up SSL with IIS and ASP.NET.

这是使用IIS和ASP.NET设置SSL的一个很好的资源。

#2


1  

Posting with SSL like Rex M mentioned is definitely the first step. You should probably make the page where they are typing their credit card number SSL as well. This will give your users the green URL of comfort.

使用像Rex M这样的SSL发帖绝对是第一步。您可能应该在他们输入信用卡号SSL的页面上进行操作。这将为您的用户提供舒适的绿色URL。

You should also include protection against CSRF attacks. Use the anti-forgery token.

您还应该包括针对CSRF攻击的保护。使用防伪令牌。

Also, you should use the PRG (Post, Redirect, Get) pattern to make sure that the credit card numbers aren't submitted twice. After the post, don't just render a different view, send a redirect so their browser does a GET against another URL - probably your confirmation page.

此外,您应该使用PRG(发布,重定向,获取)模式来确保信用卡号码不会提交两次。发布后,不要只渲染不同的视图,发送重定向,以便他们的浏览器对另一个URL进行GET - 可能是您的确认页面。

You'll run into a few ASP.NET MVC specific things:

您将遇到一些ASP.NET MVC特定的事情:

  1. If you have some http pages and some https pages, how will you code the links to the https pages from the http pages. You can hard code them, but you'll have to hard code the domain and protocol. You can't just use <%= Html.ActionLink(... see this SO question for more details.

    如果您有一些http页面和一些https页面,您将如何编写从http页面到https页面的链接。您可以对它们进行硬编码,但您必须对域和协议进行硬编码。您不能只使用<%= Html.ActionLink(...请参阅此SO问题以获取更多详细信息。

  2. You'll want to make sure you can't hit your controllers when you are not using SSL. This will help you catch any errors, and ensure that no one uses http instead of https. See the [RequireSsl] attribute in the futures assembly. Here's a blog post about it from Adam Salvo

    您不希望确保在不使用SSL时无法点击控制器。这将帮助您捕获任何错误,并确保没有人使用http而不是https。请参阅期货装配中的[RequireSsl]属性。这是来自Adam Salvo的博客文章

#3


0  

I haven't read about the implementation of the ASP.net-MVC. However, i believe that you have mixed up the terminology.

我还没有读过有关ASP.net-MVC的实现。但是,我相信你已经混淆了术语。

The MVC Pattern would be evaluated on the server end. [So there is little need to do security checks between the components (unless they are exposed outside the program)]

MVC模式将在服务器端进行评估。 [因此几乎不需要在组件之间进行安全检查(除非它们暴露在程序之外)]

I believe that many people get the impression that you are talking about HTTP POSTS after a form submission (as opposed to HTTP GETs)

我相信许多人会在表单提交后得到您正在谈论HTTP POSTS的印象(而不是HTTP GET)

#1


12  

Post the data using SSL.

使用SSL发布数据。

Here's a good resource on setting up SSL with IIS and ASP.NET.

这是使用IIS和ASP.NET设置SSL的一个很好的资源。

#2


1  

Posting with SSL like Rex M mentioned is definitely the first step. You should probably make the page where they are typing their credit card number SSL as well. This will give your users the green URL of comfort.

使用像Rex M这样的SSL发帖绝对是第一步。您可能应该在他们输入信用卡号SSL的页面上进行操作。这将为您的用户提供舒适的绿色URL。

You should also include protection against CSRF attacks. Use the anti-forgery token.

您还应该包括针对CSRF攻击的保护。使用防伪令牌。

Also, you should use the PRG (Post, Redirect, Get) pattern to make sure that the credit card numbers aren't submitted twice. After the post, don't just render a different view, send a redirect so their browser does a GET against another URL - probably your confirmation page.

此外,您应该使用PRG(发布,重定向,获取)模式来确保信用卡号码不会提交两次。发布后,不要只渲染不同的视图,发送重定向,以便他们的浏览器对另一个URL进行GET - 可能是您的确认页面。

You'll run into a few ASP.NET MVC specific things:

您将遇到一些ASP.NET MVC特定的事情:

  1. If you have some http pages and some https pages, how will you code the links to the https pages from the http pages. You can hard code them, but you'll have to hard code the domain and protocol. You can't just use <%= Html.ActionLink(... see this SO question for more details.

    如果您有一些http页面和一些https页面,您将如何编写从http页面到https页面的链接。您可以对它们进行硬编码,但您必须对域和协议进行硬编码。您不能只使用<%= Html.ActionLink(...请参阅此SO问题以获取更多详细信息。

  2. You'll want to make sure you can't hit your controllers when you are not using SSL. This will help you catch any errors, and ensure that no one uses http instead of https. See the [RequireSsl] attribute in the futures assembly. Here's a blog post about it from Adam Salvo

    您不希望确保在不使用SSL时无法点击控制器。这将帮助您捕获任何错误,并确保没有人使用http而不是https。请参阅期货装配中的[RequireSsl]属性。这是来自Adam Salvo的博客文章

#3


0  

I haven't read about the implementation of the ASP.net-MVC. However, i believe that you have mixed up the terminology.

我还没有读过有关ASP.net-MVC的实现。但是,我相信你已经混淆了术语。

The MVC Pattern would be evaluated on the server end. [So there is little need to do security checks between the components (unless they are exposed outside the program)]

MVC模式将在服务器端进行评估。 [因此几乎不需要在组件之间进行安全检查(除非它们暴露在程序之外)]

I believe that many people get the impression that you are talking about HTTP POSTS after a form submission (as opposed to HTTP GETs)

我相信许多人会在表单提交后得到您正在谈论HTTP POSTS的印象(而不是HTTP GET)