如何在单页应用程序中处理敏感数据
[英]How to process sensitive data in single page apps
问题描述
I need to understand and maybe ideas about single page apps. 
我需要了解单页应用程序,也许还需要一些想法。
I want to create a project, i'll do it with MVC. 我想创建一个项目,我将使用MVC进行。 I also want to use AngularJS for client side programming. 我也想使用AngularJS进行客户端编程。
I know that AngularJS is good for single page applications and when working with SPAs you send your data to API to process. 我知道AngularJS非常适合单页应用程序,在使用SPA时,您会将数据发送到API进行处理。 But data sent from Angular is visible to user and open to be manipulated. 但是从Angular发送的数据对用户可见,并且可以进行操作。
I don't want users to be able to see any data or access to the API from the internet. 我不希望用户能够从互联网上看到任何数据或访问API。 Witch way i should follow? 我应该遵循的巫婆方式?
I'm thinking about keeping sensitive user data in MVC controller. 我正在考虑将敏感的用户数据保留在MVC控制器中。 For example let's say user Id is very sensitive for my project. 例如,假设用户ID对我的项目非常敏感。 If i keep user id in javascript variable, when i'm sending it to API with some command user will able to change the id and manipulate the system. 如果我将用户ID保留在javascript变量中,那么当我使用某些命令将其发送到API时,用户将能够更改ID并操纵系统。 But if i keep user-id in MVC controller, via user authentication, and send request to my MVC controller then the user won't be able to change it. 但是,如果我通过用户身份验证将用户ID保留在MVC控制器中,并将请求发送到我的MVC控制器,则用户将无法更改它。 But i know this is not the best way of doing things, there must be a more clever way. 但是我知道这不是最好的做事方法,必须有一种更聪明的方法。
I'll be glad if someone can explain how this things works in SPAs or when you use Angular and MVC together. 如果有人可以解释一下这在SPA中是如何工作的,或者当您同时使用Angular和MVC时,我将感到非常高兴。
1 个解决方案
解决方案1
2 已采纳 2014-06-02 17:25:43
This won't work, you can't prevent user from tampering the data, crafting custom request and doing whatever she wants at her side. 这是行不通的,您无法阻止用户篡改数据,制定自定义请求以及在自己身边做任何事情。
What you should do is to never trust upcoming data - which means validate every incoming id twice, once when you produce it and then when it comes back. 您应该做的是永远不要相信即将到来的数据-这意味着对每个传入ID进行两次验证,一次是在生成它时,然后是它返回时。 Either it comes plain and you verify if it's legal or you encrypt it so when it comes back you decrypt it. 它要么很简单,要么您验证它是否合法,要么对其进行加密,以便当它回来时可以对其进行解密。
Some data can be stored at the server side, the id you mention is such example. 一些数据可以存储在服务器端,您提到的ID就是这样的示例。 This way user never sees the data, what you pass is the session id which is a long random value, rather impossible to craft. 这样,用户永远不会看到数据,您传递的是会话ID,该ID是一个较长的随机值,很难制作。 This approach comes with the cost of server side resources that are used, the more users the more resources at the server stored between requests. 这种方法伴随着使用服务器端资源的代价,用户越多,请求之间存储在服务器上的资源就越多。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.