防止我的 React / Gatsby 联系表被劫持
[英]Prevent my React / Gatsby contact form from being hijacked
问题描述
I've a Gatsby (React) page with a contact-form which sends the params to an API endpoint.
我有一个 Gatsby (React) 页面,其中包含一个将参数发送到 API 端点的联系表单。 The form is on the browsers client side.该表单位于浏览器客户端。
That Api Endpoint sends to an Email service provider, so far so good.该 Api Endpoint 发送到电子邮件服务提供商,到目前为止一切顺利。
BUT how can I prevent people from sending emails directly to that endpoint /api/contact-form, in my contact-form I have a ReCaptcha to do that, but the API endpoint is not "secured".但是我如何防止人们直接向该端点/api/contact-form 发送电子邮件,在我的联系表中,我有一个 ReCaptcha 来做到这一点,但 API 端点不是“安全的”。
First I thought I can do that with a "host"-check... but the page is on the client side...首先,我认为我可以通过“主机”检查来做到这一点......但该页面在客户端......
Is it the right approach to create a token, when the page is delivered to the client, and check it then against on the API endpoint?当页面交付给客户端时,创建令牌并在 API 端点上进行检查是正确的方法吗?
1 个解决方案
解决方案1
0 2020-08-27 10:35:08
I assume you're talking about CSRF token.我假设您在谈论 CSRF 令牌。 It is definitely one way to prevent CSRF attacks.这绝对是一种防止 CSRF 攻击的方法。 The other option could be setting cors to allow only specific origins to access your API endpoints.另一个选项可能是设置 cors 以仅允许特定来源访问您的 API 端点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.