在轨道上的红宝石中确保参数
[英]secure params in ruby on rails
问题描述
I'm having a form that dont actually saving a model, so When i do POST the form, there is email and password, but somehow I dont want to expose my password to others. 
我有一个实际上不保存模型的表单,所以当我发布该表单时,会有电子邮件和密码,但是不知何故我不想将密码公开给其他人。 I did this config.filter_parameters to filter in the log 我做了这个config.filter_parameters过滤日志
but when I POST and I check browser, there are still having plain text for my password which I dont want to. 但是,当我发布并检查浏览器时,仍然有我不想输入的纯文本密码。 Is there any proper way to encrypt the params when sending that when I inspect in the browser, everyone will just see hashes or encrypted. 发送时是否有任何适当的方法来加密参数,当我在浏览器中进行检查时,每个人只会看到哈希值或已加密。
Oh ya,I meant the way not using SSL as well >.< 哦,是的,我的意思是也不要使用SSL>。<
1 个解决方案
解决方案1
1 已采纳 2013-03-25 10:41:25
If you can't use SSL, then you can't be secure. 如果您不能使用SSL,那么您将无法保证安全。
Even if you did private/public key encryption with JS before sending the passwords over the network, you can't trust that your encryption JS code wasn't compromised when being sent to the client. 即使您在通过网络发送密码之前使用JS进行了私钥/公钥加密,您也无法相信在发送给客户端时,加密JS代码没有受到损害。 After all, you want to encrypt because you are worried about network vulnerabilities. 毕竟,您要加密,因为您担心网络漏洞。
Of course, you could use JS encryption over an insecure protocol to give the illusion of security. 当然,你可以使用JS加密在不安全的协议给予安全的错觉 。 To be fair, the attack to compromise the passwords in this scenario would need to be more sophisticated than simple network sniffing. 公平地说,在这种情况下,用于破坏密码的攻击将比简单的网络嗅探更加复杂。
A great article on this topic is here: http://www.matasano.com/articles/javascript-cryptography/ 关于此主题的出色文章在这里: http : //www.matasano.com/articles/javascript-cryptography/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.