如何验证javascript使用的REST API(因为代码是公共的)

Tl; dr:如何保护仅用于网站本身的AJAX调用的内部API。< / strong> </ p>

我有一个将由Javascript(客户端)使用的REST API(PHP 7.2)</ p>

通常我构建服务器端 应用程序(然后我控制并使用秘密或令牌),然而,当JS公开时,我迷失了。</ p>

我想要基本身份验证,因为用户可以查看源代码 并获取用户名和密码。</ p>

我想使用私钥,再次检查元素并且密钥可见。</ p>

我想要白名单 在域(PHP Side),域可以被欺骗。</ p>

我想要HMAC身份验证,但是再次检查元素并查看HMAC消息。</ p>

< p>如何保护AJAX将使用的REST API </ p>
</ div>

展开原文

原文

Tl;dr: How to secure an internal API only used for AJAX calls on the website itself.

I have a REST API (PHP 7.2) that will be consumed by Javascript (client side)

Normally I build server-side apps (then I am in control and use either a secret or a token), however, with JS being public I am lost.

I wanted basic auth, cant because a user can view source and get the username and password.

I wanted to use a private key, again inspect element and the key is visible.

I wanted to whitelist the domain (PHP Side), the domain can be spoofed.

I wanted HMAC authentication, but again, inspect element and and see the HMAC message.

How do I secure a REST API that will be consumed by AJAX

dongyong5912
dongyong5912 有人获取访问API并用于恶意目的或有人使用该API并充斥我的服务器请求填充他自己的网站(花费我计算)。有问题的API是通过AJAX填充股票市场数据(以动态更新价格),目前我使用PHP循环并在页面加载时呈现股票价格。如果您泄漏股票市场数据(即有人拿走您的API并在他们的网站上运行它,我会收到账单。)
一年多之前 回复
duanliao2310
duanliao2310 你关注什么样的攻击场景?
一年多之前 回复
dsfsdf7852
dsfsdf7852 “JS是公开的我迷失了”-如果JS是公开的,那么任何人都可以运行它,如果有人可以运行JS,为什么你担心API也是公共的?
一年多之前 回复

1个回答



您正在寻找的(或者,在这种情况下,不寻找)是CORS(跨源资源共享)。</ p>

执行所需操作的简单方法 - 检查服务器上的$ _SERVER ['REMOTE_ADDR'] </ p>

  if($ _SERVER ['REMOTE_ADDR  ']!='myserverIP'){
</ code> </ pre>

(只是你知道,这是安全的 - PHP的可靠性$ _SERVER ['REMOTE_ADDR'] )</ p>

然后,您还可以强制执行'访问 - Control-Allow-Origin'与你的域匹配(二级安全检查 - 也许你想把东西放在某个文件夹中等等)</ p>

  header(“Access-  Control-Allow-Origin:https://example.com“); 
</ code> </ pre>

以及各种其他特定的access_control方法,如果你愿意...... </ p>

这是我一直在使用的功能(在某处拾取它 - 最有可能在SO上进行修改并稍微修改一下......):</ p>

一些 在PHP中的位置(我使用'codes.php'文件存储并根据需要轻松更改代码,然后包含它以使它们全局可用)</ p>

codes.php </ p>

  $ spIP = 127.0.0.1;  //你的IP是什么
$ splink =“https://your-domain-url.tld”;
</ code> </ pre>

然后在函数文件中</ p >

  function checkCORS()
{
global $ spIP,$ splink;
if($ _SERVER ['REMOTE_ADDR']!= $ spIP){
return false; \ n}
标题(“Access-Control-Allow-Origin:$ splink”);
标题('Access-Control-Allow-Credentials:true');
标题('Access-Control-Max-Age: 6400');
if($ _SERVER ['REQUEST_METHOD'] =='OPTIONS'){
//您必须像其他方法一样处理OPTIONS请求,否则您将收到错误消息
if(isset($ _SERVER ['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
标题(“Access-Control-Allow-Methods:POST”);
if(isset($ _ SERVER ['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
标题(“Access-Control-Allow -Headers:{$ _SERVER ['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}“);
exit(0);
}
返回true;
}
</ code> </ pre>

我在安全数据程序中使用它,到目前为止,我已经采用了各种方式 编入攻击它没有用(不是说没有办法,但我找不到一个..)</ p>

一个很好的测试工具可以在 https://www.test-cors.org/ </ p>
</ div >

展开原文

原文

What you are looking for (or, in this case, NOT looking for) is CORS (Cross-Origin Resource Sharing).

Simple way to do what you want - check the $_SERVER['REMOTE_ADDR'] against your server

if ($_SERVER['REMOTE_ADDR'] != 'myserverIP') {

(just so you know, that is secure - Reliability of PHP'S $_SERVER['REMOTE_ADDR'])

Then, you can also force the 'Access-Control-Allow-Origin' to match your domain (a second-level security check - perhaps you want to keep things in a certain folder, etc.

header("Access-Control-Allow-Origin: https://example.com");

and various other specific access_control methods if you like......

Here's a function I have been using (picked it up somewhere - most likely on SO and modified it a bit for my use...):

somewhere in PHP (I use a 'codes.php' file to store and easily change the codes as needed, then include it so they are globally available)

codes.php

$spIP = 127.0.0.1; // whatever your IP is
$splink = "https://your-domain-url.tld";

then in a functions file

function checkCORS()
{
    global $spIP, $splink;
    if ($_SERVER['REMOTE_ADDR'] != $spIP) {
        return false;
    }
    header("Access-Control-Allow-Origin: $splink");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 6400');
    if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
        // you have to handle OPTIONS requests as some other method or you will get an error message
        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
            header("Access-Control-Allow-Methods: POST");
        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
            header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
        exit(0);
    }
    return true;
}

I'm using this on a secure-data program and so far, every way I've tried to hack into it hasn't worked (not saying there isn't some way in, but I can't find one..)

A nice tool to test with is available at https://www.test-cors.org/

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐