[英]Securing NodeJS RESTful API and React client app
I've a backend RESTful API built in NodeJS and a front end application in React JS(NextJS), both hosted on AWS.我有一个内置在 NodeJS 中的后端 RESTful API 和一个在 React JS(NextJS)中的前端应用程序,两者都托管在 AWS 上。 The client and server communicates using JWT token.
客户端和服务器使用 JWT 令牌进行通信。 I want to make sure both the client app and server side app are highly secured.
我想确保客户端应用程序和服务器端应用程序都是高度安全的。
What i've done:我做了什么:
Answers i've looked at and used:我看过并使用过的答案:
How to secure client app (react) and API communication 如何保护客户端应用程序(反应)和 API 通信
According to: RESTful Authentication i'm using Token in HTTP headers (eg OAuth 2.0 + JWT), this i sent for every client request根据: RESTful Authentication我在 HTTP 标头中使用令牌(例如 OAuth 2.0 + JWT),这是我为每个客户端请求发送的
Using a refresh token: Refresh Token Jsonwebtoken使用刷新令牌: 刷新令牌 Jsonwebtoken
What i'm concerned about, and i need some help with:我关心的是什么,我需要一些帮助:
1. Since the JWT token is how the server validates the client, is the JWT communication secured? 1.既然JWT令牌是服务器验证客户端的方式,那么JWT通信是否安全? Are there other steps i can take to improve the JWT security?
我可以采取其他步骤来提高 JWT 的安全性吗?
2. Is this application architecture secured enough? 2. 这个应用架构是否足够安全?
3. Is there anything else i can do improve it's security, as i'm really concerned and want to make sure it's very secured. 3. 我还能做些什么来提高它的安全性,因为我真的很担心并且想确保它非常安全。
4. Should i encrypt the JSON payload sent from the client to the server? 4. 我应该加密从客户端发送到服务器的 JSON 有效载荷吗? because that's visible in any browser network tab under XHR, i'm sending username & password as payload for login.
因为这在 XHR 下的任何浏览器网络选项卡中都可见,所以我正在发送用户名和密码作为登录的有效负载。
I'm mostly concerned about security because i've integrated stripe payment in the application, and i'm also storing some sensitive data.我最关心的是安全性,因为我已经在应用程序中集成了条带支付,而且我还存储了一些敏感数据。
Any recommendation would be high appreciated, this is my first time deploying an production app.任何建议将不胜感激,这是我第一次部署生产应用程序。
As of what you have done the application must be pretty much secure.... except i would like to add a few things....正如你所做的那样,应用程序必须非常安全......除了我想添加一些东西......
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.