如何保护公共nodejs api仅对来自前端的请求
[英]how securing a public nodejs api to only requests from the frontend
问题描述
I have a node frontend express server and a node api express server. 
我有一个节点前端快递服务器和一个节点api快递服务器。
How can I best ensure that only requests that are made to the api are made from the frontend express server? 如何最好地确保仅对api的请求是从前端Express服务器发出的?
There is no user authentication so the user will not be sending a jwt with each request. 没有用户身份验证,因此用户将不会随每个请求发送jwt。
2 个解决方案
解决方案1
0 2018-09-11 15:35:39
The easiest way would be to set the Content Security Policy using Helmet.js And you can easily add other security features using Helmet. 最简单的方法是使用Helmet.js设置内容安全策略,然后可以使用Helmet轻松添加其他安全功能。
const helmet = require('helmet')
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
// styleSrc probably not needed but you can set those too
styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']
}
}))
This effectively tells the browser “only load things that are from my own domain”
https://helmetjs.github.io/docs/csp/ https://helmetjs.github.io/docs/csp/
https://github.com/helmetjs/helmet https://github.com/helmetjs/helmet
解决方案2
0 2018-09-13 02:05:45
in my opinions, you should 在我看来,你应该
- configure the firewall of api server to accept only ip address of the frontend express server with only port 443 also. 将api服务器的防火墙配置为仅接受仅具有端口443的前端Express服务器的IP地址。
- please add basic authentication to the header in every APIs, then the front-end must attach some username/password or secret to the header of all APIs calls. 请在每个API的标头中添加基本身份验证,然后前端必须在所有API调用的标头中附加一些用户名/密码或密码。
- in your server APIs, please include your security library, eg, helmet.js also. 在您的服务器API中,请同时包括您的安全性库,例如helmet.js。 it can help you secure your APIs server. 它可以帮助您保护API服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.