AngularJS-是否使用$ http.get()获取JSON配置文件安全?
[英]AngularJS - Is using $http.get() to get a JSON configuration file secure?
问题描述
I'm getting a JSON file using relative path to get a JSON configuration file with some sensitive authentication data as follows: $http.get('app/config.json').then(function (data) {} 
我正在使用相对路径获取JSON文件,以获取带有一些敏感身份验证数据的JSON配置文件,如下所示: $http.get('app/config.json').then(function (data) {}
It's working fine, but I'm wondering how secure this is? 一切正常,但我想知道这有多安全? Can this call be intercepted in any way and values substituted? 可以以任何方式截获此调用并替换值吗?
My site is deployed to https. 我的网站已部署到https。
Thanks, Alan. 谢谢,艾伦。
EDIT: To add more detail, the sensitive data I'm talking about it the redirect URI and client ID for an authentication flow; 编辑:要添加更多详细信息,我正在谈论的敏感数据是身份验证流程的重定向URI和客户端ID; if these were changed to a site that tried to mimic the authentication provider, then someone could steal a users username and password. 如果将这些更改为试图模仿身份验证提供程序的站点,则有人可能会窃取用户的用户名和密码。
1 个解决方案
解决方案1
0 已采纳 2018-01-25 12:42:16
configuration file with some sensitive authentication data
It doesn't really matter how the client got the credentials (either via ajax call or already included in the page source or ...). 客户端如何获取凭据(通过ajax调用或已包含在页面源中或...)并不重要。 When your browser/js/whatever uses the credentials to make a request, this will show up in the developer tools. 当您的浏览器/ js /无论使用何种凭据发出请求时,这都会显示在开发人员工具中。 So everyone can use those credentials. 这样每个人都可以使用这些凭据。 Thats pretty bad if you are billed by a 3rd party provider for using these credentials. 如果第三方提供商因使用这些凭据而向您收费,那就太糟糕了。
Can this call be intercepted in any way and values substituted?
As with the outgoing request, it will show up in the developer tools. 与传出请求一样,它会显示在开发人员工具中。
Don't send sensitive information to your client as long as you don't have to do it. 只要您不必将敏感信息发送给客户,就不要这样做。 Use a reverse proxy or the like. 使用反向代理等。 Add your credentials server-side. 在服务器端添加您的凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.