[英]Security in front-end applications
I'm new to anything to do with user authentication in general, both front and backend. 对于一般的用户身份验证,无论是前端还是后端,我都是新手。 I'm building an application with Angular 2/5. 我正在使用Angular 2/5构建应用程序。 I've found this tutorial by Jason Watmore that I will try to adapt for my needs. 我已经找到了Jason Watmore的这个教程 ,我将尝试适应我的需求。 I see in the comments, Jason explains that for sites where you want the front-end to be secure, it is advisable to do authentication in a separate front-end app, and then redirect the user to the full app, once the user has logged in. The reason being that no front-end app is secure, in that a user could alter variables to view routes that are protected by route guards, or other ways. 我在评论中看到,Jason解释说,对于您希望前端安全的网站,建议在单独的前端应用程序中进行身份验证,然后在用户拥有后将用户重定向到完整的应用程序登录。原因是没有前端应用是安全的,因为用户可以改变变量以查看受路线保护或其他方式保护的路线。 That data is still secure from the back-end, but you have features you don't want the public knowing about in the front-end, like how you are analyzing data entered by users. 这些数据在后端仍然是安全的,但您有一些功能,您不希望公众知道前端,例如您如何分析用户输入的数据。
My question is, in regards securing a front-end application, is this an absolute truth that it isn't possible? 我的问题是,在确保前端应用程序方面,这是一个绝对的事实,它是不可能的吗? It makes sense, and I have a hunch it is true, but I was wondering if there are ways to at least make it very difficult to view guarded routes. 这是有道理的,而且我预感到这是真的,但我想知道是否有办法至少让人很难看到守卫路线。 (Like the route guard asks the server if the token is valid?... But then you could just mod the function to always return true, right? Hmm...) (就像路由警卫询问服务器令牌是否有效?...但是你可以修改函数以便总是返回true,对吧?嗯...)
[Edit] Could lazy loading come into play here? [编辑]懒惰加载可以在这里发挥作用吗? Would it be possible to build a module/route that the server only makes available once the user has logged in? 是否可以构建一个服务器仅在用户登录后才可用的模块/路由?
The difference between front-end code and back-end is that front-end is run on the computer of whoever is visiting the website, whereas back-end is run on a server usually hundreds of miles away. 前端代码和后端之间的区别在于前端是在访问网站的任何人的计算机上运行,而后端是在通常数百英里之外的服务器上运行。 If it's front-end code, that means its on the users computer, which means they have access to it. 如果是前端代码,则意味着它在用户计算机上,这意味着他们可以访问它。 You can be sneaky and make it so that only a knowledgable "hacker" can actually see anything important, but it's impossible to hide front-end code. 你可以偷偷摸摸地做到这一点,只有知识渊博的“黑客”才能真正看到任何重要的东西,但隐藏前端代码是不可能的。 Their computer needs it, therefore the user has access to it. 他们的计算机需要它,因此用户可以访问它。
It is a very reasonable thought to try and protect some front-end code from unauthenticated users, and lazy loading may in fact help with that. 尝试保护一些前端代码免受未经身份验证的用户是一个非常合理的想法,而延迟加载实际上可能有助于此。
A few thoughts: 一些想法:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.