[英]How can I protect an HTTP POST request from only being received by an approved javascript client?
I have a URL that will accept POSTed data and store a record of it — this is for analytics. 我有一个URL,它将接受POST数据并存储它的记录-这是用于分析。 I need to secure that against anyone in the world from POSTing to it, but what possible authentication mechanism can I use that it is safe to expose the details of? 我需要确保从POST到世界上的任何人都可以免受攻击,但是我可以使用哪种可能的身份验证机制来安全地公开其详细信息? I don't think the javascript can access any secret data without making it public. 我认为JavaScript无法在不公开的情况下访问任何秘密数据。
I could base it off any HTTP header, but these can all be spoofed, right? 我可以将其基于任何HTTP标头,但是这些都可以被欺骗,对吗?
If it helps, both client and server are https. 如果有帮助,则客户端和服务器均为https。
Edit: I think I need to state the problem more explicitly; 编辑:我认为我需要更明确地陈述问题; sorry, I thought I could explain it concisely, but it's clearly not coming across! 对不起,我以为我可以简明扼要地解释它,但显然没有发现! Imagine the following: 想象以下情况:
A static page at https://example.com/index.html
includes a script, https://example.com/script.js
. https://example.com/index.html
的静态页面包含脚本https://example.com/script.js
。
The script makes a request to another remote URL, eg 该脚本向另一个远程URL发出请求,例如
ajax_call('https://stats.example.com/stats.php', 'some data');
stats.php
script simply writes 'some data'
to a file stats.php
脚本只是将'some data'
写入文件 Now, the flaw is that anyone can simply POST anything to stats.php
and it will write to the file. 现在的缺陷是,任何人都可以简单地将任何内容发布到stats.php
并将其写入文件。 I want to restrict that to just my 'client', ie https://example.com/index.html
. 我想将其限制为我的“客户”,即https://example.com/index.html
。
If I could, I would do something like this in stats.php
: 如果可以的话,我将在stats.php
:
if ($_SERVER["HTTP_REFERER"] == 'https://example.com') {
do_stuff();
} else {
die('not allowed');
}
but I've always been under the impression that HTTP_REFERER (and other similar headers) could just be spoofed, so that woud be pointless. 但是我一直给人的印象是,HTTP_REFERER(和其他类似的标头)可能只是被欺骗,所以毫无意义。
I need to secure that against anyone in the world from POSTing to it, but what possible authentication mechanism can I use that it is safe to expose the details of? 我需要确保从POST到世界上的任何人都可以免受攻击,但是我可以使用哪种可能的身份验证机制来安全地公开其详细信息?
If the endpoint needs to be accessed by the browser of everybody who visits a public website, then you can't. 如果访问公共网站的每个人的浏览器都需要访问端点,则不需要。
The browser is completely under the user's control. 浏览器完全在用户的控制之下。 They can inspect everything the browser does. 他们可以检查浏览器所做的一切。 They can then recreate that using some other HTTP client. 然后,他们可以使用其他HTTP客户端重新创建该客户端。
If you trust the browser enough to let it make the request to your analytics API then you must trust the owner of the browser too. 如果您对浏览器的信任足以让其向您的Analytics API发出请求,那么您也必须信任浏览器的所有者。 It is impossible to separate them. 将它们分开是不可能的。
The best you can do is analyse the data sent to the analytics API for usual or impossible patterns of behaviour. 您能做的最好的事情就是分析发送到Analytics API的数据,以了解通常或不可能的行为方式。
您可以使用CORS
,因此使您的后端仅接收来自特定主机/ DOMAIN
请求
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.