堆栈内存溢出
  简体   繁体   English

Rails 3.2-从客户端应用程序发送POST请求会带来任何安全风险吗?

[英]Rails 3.2 - Would sending a POST request from a client application pose any security risks?

 原文  2014-02-13 17:22:31       .net/ ruby-on-rails/ authentication/ post/ request

问题描述

I am planning on creating a client application in .NET that would send an HTTP POST request to my Rails application in order to update a given value in a database table. 我打算在.NET中创建一个客户端应用程序,该客户端应用程序会将HTTP POST请求发送到我的Rails应用程序,以便更新数据库表中的给定值。 I'm using PostgreSQL as a database for my Rails app. 我将PostgreSQL用作Rails应用程序的数据库。 As part of the POST request, I would need to send parameters with the URL to specify the information I'd like to update. 作为POST请求的一部分,我需要发送带有URL的参数以指定我要更新的信息。 Rails would then process the parameters and update the correct information in the database. 然后,Rails将处理参数并更新数据库中的正确信息。

I feel that this could easily be a security risk since it seems that anyone could theoretically send a POST request with different parameters to modify the database. 我认为这很容易带来安全风险,因为从理论上讲,任何人都可以发送带有不同参数的POST请求来修改数据库。 I know Rails has authentication tokens built into POST requests, so my intuition would be that my .NET requests would be rejected. 我知道Rails在POST请求中内置了身份验证令牌,因此我的直觉是我的.NET请求将被拒绝。

I was wondering if anyone could provide me with a little more insight on this topic. 我想知道是否有人可以为我提供有关此主题的更多见解。 Would my requests be accepted by Rails, and if so, what protections might be in place to stop anyone from making a POST request to the server? Rails会接受我的请求吗?如果可以,可以采取什么保护措施阻止任何人向服务器发出POST请求?

Thanks in advance! 提前致谢!

1 个解决方案

解决方案1
 0  2014-02-13 23:56:30

Yes your rails app will accept the post if you have your routes.rb file setup correctly. 是的,如果您正确设置了routes.rb文件,您的rails应用程序将接受该帖子。

What you are really asking is "How do a create a save/secure API in my rails app?" 您真正要问的是“如何在Rails应用程序中创建保存/安全API?”

I have done this quite a bit and what we do is have some kind of authentication process. 我已经做了很多,我们要做的是某种身份验证过程。 This may be a shared key (base plus some semi random portion) that is encrypted during transmission, or an actual sign in process. 这可以是在传输过程中加密的共享密钥(基本加半随机部分),也可以是实际的登录过程。

My suggestion is to have a shared key that you encrypt and include in your POST header. 我的建议是要有一个共享密钥,该密钥必须加密并包含在POST标头中。 You can retrieve it with something like 你可以用类似的东西来检索它 

token = request.env['HTTP_AUTH_TOKEN']

then just decrypt it and verify the semi random portion before accepting the POST 然后将其解密并在接受POST之前验证半随机部分

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 UWP中的POST请求未发送 - POST request in UWP not sending 使用自定义标头发送POST请求 - Sending POST request with custom headers 登录到具有发送POST请求的站点 - Login to a site with sending POST request 在我的asp.net mvc Web应用程序中使用带有WebClient()的Parallel.Foreach有任何缺点或风险吗? - are there any drawbacks or risks of using Parallel.Foreach with WebClient() inside my asp.net mvc web application 使用表单身份验证有哪些安全风险? - What are the security risks of using forms authentication? 此Web服务体系结构有哪些特定的安全风险? - What are the specific security risks of this web services architecture? .net中客户端/服务器应用程序中dll文件的安全性 - The security of dll files in a Client/Server application in .net Http Post发送带有空正文的请求 - Http Post is sending request with null body 从SQL Server 2012或SQL CLR C#发送HTTP POST请求 - Sending HTTP POST request from SQL Server 2012 or SQL CLR C# .Net桌面应用程序的安全性的任何示例 - Any example for Security of .Net Desktop application
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM