如何防止本地客户端访问我们的API
[英]how to prevent native clients from accessing our api
问题描述
We have a PHP REST API and an angularjs client. 
我们有一个PHP REST API和一个angularjs客户端。
We don't have and won't have any native clients, only the browser. 我们没有,也没有任何本地客户端,只有浏览器。
an attacker has made a fake website with fake accounts doing all payments with it and we're on the goal to prevent that. 攻击者使用虚假帐户制作了一个虚假网站,并用其进行所有付款,我们的目标是防止这种情况的发生。
Now we found a way to prevent a website server from accessing our API and the browser can't make the cross-domain request but nothing prevents an attacker from making a desktop app that accesses our API. 现在,我们找到了一种阻止网站服务器访问我们的API的方法,并且浏览器无法发出跨域请求,但是没有任何方法可以阻止攻击者制作访问我们API的桌面应用。
How to detect that the client is a browser and not a native client ? 如何检测客户端是浏览器而不是本机客户端?
PS 聚苯乙烯
I know that browsers can be embedded in desktop apps and for now I'm ok with that, just not a pure native client. 我知道浏览器可以嵌入到桌面应用程序中,现在我可以接受,但不是纯本地客户端。
1 个解决方案
解决方案1
0 2018-03-13 10:47:59
The only way to achieve this result is to do a challenge-response mechanism with Javascript so a "native client" would have to parse and evaluates the result, which is difficult without embedding a browser or Javascript V8 engine. 达到此结果的唯一方法是对Javascript执行challenge-response机制,因此“本地客户端”将不得不解析和评估结果,而如果不嵌入浏览器或Javascript V8引擎则很难。
Just print in the JavaScript a token by PHP and then JS would have to do cryptographic calculations. 只需用PHP在JavaScript中打印令牌,然后JS就必须进行密码计算。 More is polymorphic more it will be difficult to implement an automated bot without an embedded browser. 多态性越多,没有嵌入式浏览器就很难实现自动化机器人。
However, you cannot stop a native application with a JavaScript interpreter like V8 engine by google (which is heavy in size but really fast) 但是,您无法使用JavaScript解释器(例如Google的V8引擎)停止本机应用程序(该应用程序笨重但速度很快)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.