堆栈内存溢出
  简体   繁体   English

如何保护HTTP POST请求仅被批准的javascript客户端接收?

[英]How can I protect an HTTP POST request from only being received by an approved javascript client?

 原文  2019-05-06 10:59:42       javascript/ http/ security/ authentication/ analytics

问题描述

I have a URL that will accept POSTed data and store a record of it — this is for analytics. 我有一个URL,它将接受POST数据并存储它的记录-这是用于分析。 I need to secure that against anyone in the world from POSTing to it, but what possible authentication mechanism can I use that it is safe to expose the details of? 我需要确保从POST到世界上的任何人都可以免受攻击,但是我可以使用哪种可能的身份验证机制来安全地公开其详细信息? I don't think the javascript can access any secret data without making it public. 我认为JavaScript无法在不公开的情况下访问任何秘密数据。

I could base it off any HTTP header, but these can all be spoofed, right? 我可以将其基于任何HTTP标头,但是这些都可以被欺骗,对吗?

If it helps, both client and server are https. 如果有帮助,则客户端和服务器均为https。

Edit: I think I need to state the problem more explicitly; 编辑:我认为我需要更明确地陈述问题; sorry, I thought I could explain it concisely, but it's clearly not coming across! 对不起,我以为我可以简明扼要地解释它,但显然没有发现! Imagine the following: 想象以下情况:

  1. A static page at https://example.com/index.html includes a script, https://example.com/script.js . https://example.com/index.html的静态页面包含脚本https://example.com/script.js

  2. The script makes a request to another remote URL, eg 该脚本向另一个远程URL发出请求,例如 

     ajax_call('https://stats.example.com/stats.php', 'some data');
  3. The stats.php script simply writes 'some data' to a file stats.php脚本只是将'some data'写入文件

Now, the flaw is that anyone can simply POST anything to stats.php and it will write to the file. 现在的缺陷是,任何人都可以简单地将任何内容发布到stats.php并将其写入文件。 I want to restrict that to just my 'client', ie https://example.com/index.html . 我想将其限制为我的“客户”,即https://example.com/index.html

If I could, I would do something like this in stats.php : 如果可以的话,我将在stats.php 

if ($_SERVER["HTTP_REFERER"] == 'https://example.com') {
    do_stuff();
} else {
    die('not allowed');
}

but I've always been under the impression that HTTP_REFERER (and other similar headers) could just be spoofed, so that woud be pointless. 但是我一直给人的印象是,HTTP_REFERER(和其他类似的标头)可能只是被欺骗,所以毫无意义。

2 个解决方案

解决方案1
 1 已采纳  2019-05-06 15:27:53

I need to secure that against anyone in the world from POSTing to it, but what possible authentication mechanism can I use that it is safe to expose the details of? 我需要确保从POST到世界上的任何人都可以免受攻击,但是我可以使用哪种可能的身份验证机制来安全地公开其详细信息?

If the endpoint needs to be accessed by the browser of everybody who visits a public website, then you can't. 如果访问公共网站的每个人的浏览器都需要访问端点,则不需要。

The browser is completely under the user's control. 浏览器完全在用户的控制之下。 They can inspect everything the browser does. 他们可以检查浏览器所做的一切。 They can then recreate that using some other HTTP client. 然后,他们可以使用其他HTTP客户端重新创建该客户端。

If you trust the browser enough to let it make the request to your analytics API then you must trust the owner of the browser too. 如果您对浏览器的信任足以让其向您的Analytics API发出请求,那么您也必须信任浏览器的所有者。 It is impossible to separate them. 将它们分开是不可能的。

The best you can do is analyse the data sent to the analytics API for usual or impossible patterns of behaviour. 您能做的最好的事情就是分析发送到Analytics API的数据,以了解通常或不可能的行为方式。

解决方案2
 0  2019-05-06 14:53:47

您可以使用CORS ,因此使您的后端仅接收来自特定主机/ DOMAIN请求

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我如何保护 api 免受客户的侵害? - How can i protect api from client? 如何延迟来自用户表单的 POST 请求,直到收到来自 Stripe 的 webhook POST 之后? - How can I delay a POST request from a user form until AFTER a webhook POST from Stripe is received? 如何在 JavaScript 中提取自定义 HTTP POST 请求 header 以便在另一个 POST 请求中传输? - How can I extract a custom HTTP POST request header in JavaScript for it to be transmitted in another POST request? 如何将POST请求中的JSON发送给客户端? - How can I send the JSON coming from a POST request to the client? 我已经从我的jsp服务器中的android应用收到了HTTP POST,如何将数据传递到Javascript函数中 - I've received an HTTP POST from an android app in my jsp server, how do I pass that data into a Javascript function 客户端javascript:不允许使用CORS时,如何获取HTTP请求的响应标头? - Client-side javascript: how can I get the response header of a HTTP request when CORS is not allowed? Javascript-如何在不重定向HTTP请求的情况下发送它? - Javascript - How would I send a http request without it being redirected? 如何使用“no-cors”将 JavaScript HTTP post 请求代码更改为 C#? - How can I change JavaScript HTTP post request code to C#, using 'no-cors'? 我们如何使用JavaScript发送HTTP POST请求? - How can we send a HTTP POST request by using JavaScript? 仅在Angular中发出$ http请求后,才能运行javascript函数? - How can I run a javascript function only after a $http request has been made in Angular?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM