正确连接前端和后端的正确方法?
[英]Correct way to connect front end to back end securely?
问题描述
Right now both my servers are working well and in sync using ajax to GET and POST requests(Json) to my backend. 
现在,我的两台服务器都运行良好,并使用ajax同步到后端的GET和POST请求(Json)。 Problem is i doubt this is a secure way to achieve my goal. 问题是我怀疑这是实现我目标的安全方法。 I have a few questions. 我有几个问题。
My understanding of it is that the client is directly accessing the back end through the webpage/ajax, not the front end .
我的理解是, 客户端直接通过网页/ ajax访问后端, 而不是前端 。 Is this a correct way of thinking of it? 这是正确的思维方式吗? Would the solution be to grab the data from the user then send it through the node server that's running the front end then post that to the back end?
解决方案是从用户那里获取数据,然后通过运行在前端的节点服务器发送数据,然后将其发布到后端吗? Is there where ssl steps in?
ssl可以进入哪里? In the current method the backend address( http://backend.com/data ) is public, is this a problem?
在当前方法中,后端地址( http://backend.com/data )是公共的,这有问题吗? Is there a checklist that covers basic webpage security?
是否有涵盖基本网页安全性的清单? I can't seem to find one. 我似乎找不到一个。
This is my javascript code in the HTML of my webpage 这是我网页HTML中的JavaScript代码
$.ajax({
type: 'GET',
url: 'http://backend.com/data',
success: function(data) {
extresults = data;
console.log(extresults);
}
});
$.ajax({
type: 'POST',
url: 'http://backend.com/data',
data: {"la" : "lala"},
success: function(data) {
alert("post is good");
}
});
1 个解决方案
解决方案1
0 2017-04-10 15:56:11
I'm having a little trouble understanding what you mean by client vs "client server", so I'm going to answer this at a slightly higher level of abstraction. 我在理解客户端与“客户端服务器”的含义时遇到了一些麻烦,因此我将在更高的抽象级别上回答这个问题。
Starting at the most basic level, a connection needs to have three properties before you can begin to call it secure; 从最基本的级别开始,连接需要具有三个属性,然后才能开始将其称为安全的。 confidentiality, verification, and validation. 机密性,验证和确认。
A secure connection must be confidential ; 安全连接必须是机密的 ; that is, a third party cannot read or modify the data being communicated. 也就是说,第三方无法读取或修改正在通信的数据。 This property is usually provided by cryptography, via HTTPS (for web applications). 此属性通常由密码术通过HTTPS(对于Web应用程序)提供。 If the data is encrypted in transit, a third party will be unable to read it, as they lack the requisite key. 如果数据在传输过程中被加密,则由于缺少必需的密钥,第三方将无法读取数据。 In addition, in a well-designed cryptosystem, an attacker will be unable to modify the data in a useful way. 此外,在设计良好的密码系统中,攻击者将无法以有用的方式修改数据。 They can substitute in random data, but, without the key, they have no way of sending a message that will decrypt to the data they want to send. 他们可以替换随机数据,但是没有密钥,他们无法发送将解密为他们想要发送的数据的消息。 Either the decryption will fail, or it will decrypt to some unpredictable value. 解密将失败,或者将解密到一些不可预测的值。
A secure connection must be verified , meaning that both parties to the communication need to know who the other party is. 必须验证安全连接,这意味着通信的双方都需要知道对方是谁。 On the server-side, HTTPS provides this property; 在服务器端,HTTPS提供此属性。 the server presents their HTTPS certificate, and the client knows that only the owner of a certificate can present it in this manner. 服务器提供他们的HTTPS证书,而客户端知道只有证书的所有者才能以这种方式提供它。 Therefore, if the client trusts the certificate, meaning that they trust the issuer of the certificate to have verified that the owner of the certificate is who they say they are, they know that the server is who they think it is (This is a gross oversimplification, and I advise looking up how HTTPS actually works). 因此,如果客户信任证书,这意味着他们信任证书的颁发者已验证证书所有者是他们所说的身份,则他们知道服务器就是他们认为的身份(这是总的过于简化,我建议您查看HTTPS的实际工作方式)。 On the server side, however, you need some other method of verifying the client's identity; 但是,在服务器端,您需要其他方法来验证客户端的身份。 you don't need a certificate to be a client in an HTTPS connection (although you can use one! I'd look up HTTPS client certificates). 您不需要证书就可以成为HTTPS连接中的客户端(尽管您可以使用一个证书!我会查找HTTPS客户端证书)。 This is handled through some method of "logging in". 这可以通过某种“登录”方法来处理。 Usually, the client starts the connection as a nobody, and provides some information to the server that proves that the client has a certain identity; 通常,客户端以无人的身份开始连接,并向服务器提供一些信息以证明客户端具有特定身份。 a username and password, a signature, an OTP, etc. Once the client has proven their identity, the server typically gives them a cookie, containing a value demonstrating that they have proven their identity; 用户名和密码,签名,OTP等。一旦客户端证明了自己的身份,服务器通常会向他们提供一个cookie,其中包含一个表明他们已经证明其身份的值; a large random nonce, a signed token, etc. 较大的随机随机数,签名令牌等。
Finally, a secure connection must be validated . 最后,必须验证安全连接。 Even if you know that your data has not been tampered with, and you have verified who you're talking to, you still shouldn't blindly trust the data you receive. 即使您知道自己的数据没有被篡改,并且已经验证了要与之交谈的人,也不应该盲目地信任收到的数据。 The client doesn't care as much about the data it receives from the server, but it is absolutely vital to validate the data the server receives from the client. 客户端不太关心它从服务器接收的数据,但是验证服务器从客户端接收的数据绝对至关重要。 This means that you shouldn't put any data you receive from the client into a command invocation, an SQL query, etc. You also shouldn't rely on any client data for sensitive program flow; 这意味着您不应将从客户端收到的任何数据放入命令调用,SQL查询等中。您也不应依赖任何客户端数据来进行敏感的程序流; don't check if a user is an admin by looking for an "admin=True" argument in their request. 不要通过在请求中查找“ admin = True”参数来检查用户是否为管理员。 Always validate that the data you are receiving is what you are expecting before you do anything with it. 在对数据进行任何处理之前,请务必先验证所接收的数据是否符合预期。
In summary, you should install a certificate on your server and setup HTTPS; 总而言之,您应该在服务器上安装证书并设置HTTPS。 require the client to authenticate (through some method) before you accept any data; 在您接受任何数据之前,要求客户端(通过某种方法)进行身份验证; and validate incoming data before you use it. 并在使用前验证传入的数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.