确保前端和后端之间通信的最佳方式

Question

For a schoolproject my project group and I are splitting the front-end from the back-end of an application. Now I want to make sure the security of this application is figured out correctly as it is going to be publicly used.

I'm already looking into a SSL certificate, but I want to be secure as possible.

As for now I have created the log in page as following:

front-end is basic html, javascript with angularjs, once the user filled in their username and password and pressed login, I send the data in JSON through post to my backend

$scope.sendPost = function() {
    var jsontext = JSON.stringify({
        username: $scope.username,
        password: $scope.password
    });
    $http.post("http://localhost:8080/login", jsontext).success(function(data, status) {
       $scope.user = data;
    })    
}

and on the back-end I have a servlet set up using jersey that handles it and sends back the needed userdata

@POST
@Path("login")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public String validateLogin(Request request) throws JSONException{
    JSONObject json = new JSONObject();
    // validate user blabla
    return json.toString();
}

I was wondering if this is secure enough and ways that would make the communication more secure

Answer 1

Term "secure front-back communication" includes a lot of stuff, and with HTTPS you are addressing just encryption, but missing sanitation, authentication, serialization, etc.

• Encryption: HTTPS is just one of the items a web application dev should issue if security is a concern. It encrypts communication between http client and server (excluding first ever handshake). A SSL certificate will handle this as you stated.

• CSRF : In your case, servlet filters should be implemented to prevent it. Basically, it involves adding an additional header ( X-CSRF ) to all requests from client. For Jersey implementation check CsrfProtectionFilter

• Input Sanitation: Remove unwanted characters from form inputs, or request values that could make server misinterpret them leading to unwanted behaviour. In your case, it could be implemented in validateLogin function.

Little plus: OWASP top 10 lists most common web application attack vectors, check it out!