如何防止签名令牌用户通过浏览器开发人员工具访问API响应?
[英]how to prevent signed token users from accessing the API response through brower developer tools?
问题描述
The web app already implements the JWT and HTTPS, the problem is the json response sent from server (Node js) to the signed token users is visible in client (react js) browser dev tool. 
该Web应用程序已经实现了JWT和HTTPS,问题是从服务器(节点js)发送到已签名令牌用户的json响应在客户端(反应js)浏览器开发工具中可见。 Is there any way I could use encryption modules to prevent the sensitive json API responses to be viewed plainly using the browser dev tool ?. 有什么办法可以使用加密模块来防止使用浏览器开发工具轻松查看敏感的json API响应? Note: I have tried Obfuscation techniques but not convinced. 注意:我已经尝试过混淆技术,但是没有被说服。
1 个解决方案
解决方案1
2 2018-07-29 08:12:01
If the security of your application relies on the client behaving in a particular way (eg not displaying API responses directly to the user), then by definition, your application is not secure. 如果您的应用程序的安全性依赖于客户端以特定方式运行(例如,不直接向用户显示API响应),那么根据定义,您的应用程序是不安全的。
Your API should be secure regardless of who is communicating with it (software written by you versus a third party). 无论与谁进行通讯(您与第三方编写的软件),API都应该是安全的。
The fact that you need to ask this demonstrates that a fundamental part of your application is poorly designed. 您需要提出的事实表明您的应用程序的基本部分设计不良。
Ask yourself why you need to hide this information from the user, and solve that problem instead. 问自己,为什么需要向用户隐藏此信息,然后解决该问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.