[英]Best way to secure the communication between front-end and back-end
For a schoolproject my project group and I are splitting the front-end from the back-end of an application.对于学校项目,我和我的项目组将应用程序的前端与后端分开。 Now I want to make sure the security of this application is figured out correctly as it is going to be publicly used.
现在我想确保这个应用程序的安全性被正确地计算出来,因为它将被公开使用。
I'm already looking into a SSL certificate, but I want to be secure as possible.我已经在研究 SSL 证书,但我希望尽可能安全。
As for now I have created the log in page as following:至于现在我已经创建了登录页面如下:
front-end is basic html, javascript with angularjs, once the user filled in their username and password and pressed login, I send the data in JSON through post to my backend前端是基本的 html,javascript 和 angularjs,一旦用户填写了他们的用户名和密码并按下了登录,我就会通过 post 将 JSON 中的数据发送到我的后端
$scope.sendPost = function() {
var jsontext = JSON.stringify({
username: $scope.username,
password: $scope.password
});
$http.post("http://localhost:8080/login", jsontext).success(function(data, status) {
$scope.user = data;
})
}
and on the back-end I have a servlet set up using jersey that handles it and sends back the needed userdata在后端,我使用 jersey 设置了一个 servlet 来处理它并发回所需的用户数据
@POST
@Path("login")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public String validateLogin(Request request) throws JSONException{
JSONObject json = new JSONObject();
// validate user blabla
return json.toString();
}
I was wondering if this is secure enough and ways that would make the communication more secure我想知道这是否足够安全以及如何使通信更安全
Term "secure front-back communication" includes a lot of stuff, and with HTTPS
you are addressing just encryption, but missing sanitation, authentication, serialization, etc.术语“安全的前后通信”包括很多东西,使用
HTTPS
您只解决加密问题,但缺少卫生、身份验证、序列化等。
HTTPS
is just one of the items a web application dev should issue if security is a concern.HTTPS
只是 Web 应用程序开发人员在考虑安全问题时应该发布的项目之一。 It encrypts communication between http client and server (excluding first ever handshake). CSRF : In your case, servlet filters should be implemented to prevent it. CSRF :在您的情况下,应该实施 servlet 过滤器来防止它。 Basically, it involves adding an additional header (
X-CSRF
) to all requests from client.基本上,它涉及向来自客户端的所有请求添加一个额外的标头 (
X-CSRF
)。 For Jersey implementation check CsrfProtectionFilter对于 Jersey 实现检查CsrfProtectionFilter
Input Sanitation: Remove unwanted characters from form inputs, or request values that could make server misinterpret them leading to unwanted behaviour.输入清理:从表单输入中删除不需要的字符,或请求可能使服务器误解它们导致不需要的行为的值。 In your case, it could be implemented in
validateLogin
function.在您的情况下,它可以在
validateLogin
函数中实现。
Little plus: OWASP top 10 lists most common web application attack vectors, check it out!小加分: OWASP 前 10 名列出了最常见的 Web 应用程序攻击向量,请查看!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.