简体繁体 English

前端应用程序的安全性

[英]Security in front-end applications

原文 2017-12-02 01:07:29 8 2 javascript/ angular/ security/ authentication/ frontend

I'm new to anything to do with user authentication in general, both front and backend. 对于一般的用户身份验证，无论是前端还是后端，我都是新手。 I'm building an application with Angular 2/5. 我正在使用Angular 2/5构建应用程序。 I've found this tutorial by Jason Watmore that I will try to adapt for my needs. 我已经找到了Jason Watmore的这个教程，我将尝试适应我的需求。 I see in the comments, Jason explains that for sites where you want the front-end to be secure, it is advisable to do authentication in a separate front-end app, and then redirect the user to the full app, once the user has logged in. The reason being that no front-end app is secure, in that a user could alter variables to view routes that are protected by route guards, or other ways. 我在评论中看到，Jason解释说，对于您希望前端安全的网站，建议在单独的前端应用程序中进行身份验证，然后在用户拥有后将用户重定向到完整的应用程序登录。原因是没有前端应用是安全的，因为用户可以改变变量以查看受路线保护或其他方式保护的路线。 That data is still secure from the back-end, but you have features you don't want the public knowing about in the front-end, like how you are analyzing data entered by users. 这些数据在后端仍然是安全的，但您有一些功能，您不希望公众知道前端，例如您如何分析用户输入的数据。

My question is, in regards securing a front-end application, is this an absolute truth that it isn't possible? 我的问题是，在确保前端应用程序方面，这是一个绝对的事实，它是不可能的吗？ It makes sense, and I have a hunch it is true, but I was wondering if there are ways to at least make it very difficult to view guarded routes. 这是有道理的，而且我预感到这是真的，但我想知道是否有办法至少让人很难看到守卫路线。 (Like the route guard asks the server if the token is valid?... But then you could just mod the function to always return true, right? Hmm...) （就像路由警卫询问服务器令牌是否有效？...但是你可以修改函数以便总是返回true，对吧？嗯...）

[Edit] Could lazy loading come into play here? [编辑]懒惰加载可以在这里发挥作用吗？ Would it be possible to build a module/route that the server only makes available once the user has logged in? 是否可以构建一个服务器仅在用户登录后才可用的模块/路由？

2 个解决方案

The difference between front-end code and back-end is that front-end is run on the computer of whoever is visiting the website, whereas back-end is run on a server usually hundreds of miles away. 前端代码和后端之间的区别在于前端是在访问网站的任何人的计算机上运行，而后端是在通常数百英里之外的服务器上运行。 If it's front-end code, that means its on the users computer, which means they have access to it. 如果是前端代码，则意味着它在用户计算机上，这意味着他们可以访问它。 You can be sneaky and make it so that only a knowledgable "hacker" can actually see anything important, but it's impossible to hide front-end code. 你可以偷偷摸摸地做到这一点，只有知识渊博的“黑客”才能真正看到任何重要的东西，但隐藏前端代码是不可能的。 Their computer needs it, therefore the user has access to it. 他们的计算机需要它，因此用户可以访问它。

It is a very reasonable thought to try and protect some front-end code from unauthenticated users, and lazy loading may in fact help with that. 尝试保护一些前端代码免受未经身份验证的用户是一个非常合理的想法，而延迟加载实际上可能有助于此。

A few thoughts: 一些想法：

Only allowing certain (authenticated) users to download certain front-end files does increase security by making such code impossible to analyse for potential external attackers. 仅允许某些（经过身份验证的）用户下载某些前端文件确实会增加安全性，因为这些代码无法分析潜在的外部攻击者。 So people not having credentials will have a harder time finding things like XSS in those parts of the application, which is an actual security benefit. 因此，没有凭据的人将很难在应用程序的这些部分中找到像XSS这样的东西，这是一个实际的安全性好处。
Something similar can be achieved by obfuscation, but obviously, that will never be so good as never giving away the code to unauthenticated users. 类似的东西可以通过混淆来实现，但显然，永远不会那么好，因为永远不会将代码泄露给未经身份验证的用户。
Doing this will make development (the process) in general a lot more complex, and complexity is not usually a good friend of security. 这样做会使开发（整个过程）变得更复杂，复杂性通常不是安全的好朋友。
A lot of the attackers are not external. 很多攻击者不是外部的。 Having sensitive information in client-side code is not a good idea, and business logic can very much be sensitive by itself. 在客户端代码中获取敏感信息并不是一个好主意，业务逻辑本身就非常敏感。 Any valid user of the application can become an "attacker", and they will need to have this code if it's on the client. 应用程序的任何有效用户都可能成为“攻击者”，如果客户端上有此代码，则需要使用此代码。
So therefore, the best practice is to place such business logic on the server. 因此，最佳做法是将此类业务逻辑放在服务器上。
But ultimately, it's based on the risk you want to take. 但最终，它是基于您想要承担的风险。 Factors that need to be considered include the price (amount of resources) of putting it all on the server, the potential loss if this info is lost to an adversary, the likelihood of that happening (ie. are there 5 trusted users, or 150000 unknown ones), and your risk appetite. 需要考虑的因素包括将所有信息全部放在服务器上的价格（资源数量），如果此信息丢失给对手可能造成的损失，发生这种情况的可能性（即有5个可信用户，或150000）未知的），以及你的风险偏好。