堆栈内存溢出
  简体   繁体   English

AngularJS安全存储介质

[英]AngularJS Secure Storage Media

 原文  2015-08-30 09:50:47       javascript/ angularjs/ security/ ng-storage

问题描述

I'm developing a client-side application using AngularJS. 我正在使用AngularJS开发客户端应用程序。 I need to request some authorization-related data from the server-side once and store it to be used in access control decisions. 我需要一次从服务器端请求一些与授权相关的数据,并将其存储以用于访问控制决策。 I don't want to request the data before every decision. 我不想在每个决定之前都要求数据。

I tried to use browser local storage, but I found it can be edited in the browser which is not acceptable in my case. 我尝试使用浏览器本地存储,但是发现可以在浏览器中对其进行编辑,这对我来说是不可接受的。 I've also thought about encrypting the authorization data but as long as the encryption is done client-side, it can be reverse-engineered. 我还考虑过对授权数据进行加密,但是只要加密是在​​客户端进行的,就可以进行反向工程。

Is there a secure (read-only) storage that can hold the authorization data to suite my case? 是否有可以保存授权数据以适合我的情况的安全(只读)存储?

1 个解决方案

解决方案1
 1  2015-08-30 09:57:48

You're sending your data to the client, an environment you have no control over. 您正在将数据发送到您无法控制的环境中的客户端。 What you can do at most is make it inconvenient for them to modify it. 您最多只能做就是让他们对其进行修改不方便。

To make it impossible to modify? 使其无法修改? You cannot do that. 你不能这样做。 (Think of the problem abstractly: what you're trying to do is forbid the user to do some operations on his own device.) (抽象地考虑问题:您要尝试执行的操作是禁止用户在自己的设备上执行某些操作。)

That is why all kinds of security-related functions need to stay on the backend (an environment in your control), or at least include a backend component. 这就是为什么所有与安全性相关的功能都需要保留在后端(控件中的环境),或者至少包含后端组件的原因。

In your specific case, think of handling the view privileges on the client side as a usability feature: you don't want to direct your user to pages they are not supposed to see, but it is the backend's responsibility to only serve data they are actually allowed to access. 在您的特定情况下,可以考虑将客户端的查看权限作为一种可用性功能:您不想将用户定向到他们不应该看到的页面,但是后端的责任是仅提供他们所要访问的数据实际上被允许访问。 So in case you have a malicious user who goes "where he's not supposed to", it'll be up to the backend to not send them data he's not supposed to see. 因此,如果您有一个恶意用户进入“他不应该去的地方”,则由后端来决定是否不向他们发送他不应该看到的数据。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 浏览器的本地存储有多安全? - How secure is local storage of browser? 如何在AngularJS中正确保护密码 - How to properly secure password in AngularJS JS / AngularJS中的变量如何安全? - How secure variables in JS/AngularJS? 在 AngularJS 中创建本地存储 - Creation of Local Storage in AngularJS 是否有任何安全存储或用于反应本地的安全本地数据库? - Is there any secure storage or secure local db for react-native? Cookie 安全且 httpOnly 使用 React 和 Cookie-Storage - Cookies secure and httpOnly with React and Cookie-Storage 在本地存储中保护浏览器端缓存 - Secure browser-side cache in Local Storage 应用程序开始时的 Ionic Secure Storage get() - Ionic Secure Storage get() at the start of the app 使用AngularJS和ng-storage进行会话存储 - Session Storage with AngularJS and ng-storage 在PHP文件上安全的angularjs代码ajax请求 - Secure angularjs code ajax request on php file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM