React.js SPA安全问题
[英]React.js SPA security issues
问题描述
I would to discuss on how to secure an app that is SPA in React with server-side rendering in Node.js, but accessing our API on a different server so it wouldn't be vulnerable to various cross-site attacks and other security issues. 
我将讨论如何使用Node.js中的服务器端渲染保护React中SPA的应用程序的安全,但如何在其他服务器上访问我们的API,这样它就不会受到各种跨站点攻击和其他安全问题的影响。
We have JWT token issued on the API server, but that means storing the token in cookie to be able to ship it to the API server after page reload, which is not the best idea I think. 我们在API服务器上发布了JWT令牌,但这意味着将令牌存储在cookie中,以便能够在页面重新加载后将其发送到API服务器,这不是我认为的最佳主意。 Do you have some better solutions? 您有更好的解决方案吗?
Thanks 谢谢
1 个解决方案
解决方案1
1 2017-07-13 07:33:50
What I suggest is to make one gateway which does all the validation of token and authentication. 我建议做一个网关来完成令牌和身份验证的所有验证。 For that what you will need. 为此,您将需要什么。
1) redis to store your token and session data. 1)重新存储您的令牌和会话数据。
2) store your token in redis don't ever give it to the browser. 2)将令牌存储在Redis中,永远不要将其提供给浏览器。
3) for accessing token from redis you should generate some special saltedhash which you can store to client cookie.(make cookie secure and HTTP only for cross-domain attack) 3)为了从redis访问令牌,您应该生成一些特殊的saltedhash,可以将其存储到客户端cookie中(使cookie安全,并且HTTP仅用于跨域攻击)
4) use this cookie for retrieving token and validate on the gateway before request goes to your api server. 4)在请求发送到您的api服务器之前,使用此cookie检索令牌并在网关上进行验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.