验证POST请求
[英]Authenticating POST requests
问题描述
I'm creating a tampermonkey userscript that sends a POST request from a website containing the user's high score. 
我正在创建一个tampermonkey用户脚本,它从包含用户高分的网站发送POST请求。 Something like this for example: 像这样的东西例如:
$.post('https://example.com/scores', {
id: 123, high_score: 999,
});
However, the issue is it's very easy for users to forge a fake score and send their own POST request with a fake high_score . 然而,问题是用户很容易伪造假分数并使用假的high_score发送自己的POST请求。 Would there be a way to somehow authenticate these requests so I could differentiate between real requests from my userscript and forged fake ones from users? 是否有办法以某种方式验证这些请求,以便我可以区分来自用户的真实请求和来自用户的伪造假请求? Perhaps some encryption/decryption? 也许有些加密/解密?
1 个解决方案
解决方案1
1 2018-09-16 09:36:45
you can add a hidden input into your page with a nonce (number only used once it can be generated based on the platform you are using (unique identifier)) value in it, when you send the post read the value and add it to you post body, on the server side you check if this nonce exists in the database then this post is authentic otherwise it is not. 您可以使用随机数(只有在您可以根据您正在使用的平台(唯一标识符))生成的值中使用一个隐藏的输入添加到您的页面中,当您发送帖子时读取该值并将其添加到您的post body,在服务器端你检查数据库中是否存在这个nonce然后这个帖子是真实的,否则它不是。 On your back end you could save this nonce with the session if you have sessions, this is an example 如果你有会话,你可以在后端保存这个随机数,这是一个例子
<input type="hidden" value="your-nonce" id="your-id">
<script>
let nonce = $("#your-id").val();
$.post('https://example.com/scores', {
id: 123, high_score: 999,nonce
});
</script>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.