Django rest 安全地授权存储令牌
[英]Django rest auth store token securely
问题描述
I'm trying to implement authentication with django-rest-auth library in the backend and I'm using react for the front-end.
我正在尝试在后端使用 django-rest-auth 库实现身份验证,并且在前端使用 react。 Django-rest-auth returns a token after authentication and I was guessing how to handle it. Django-rest-auth 在身份验证后返回一个令牌,我在猜测如何处理它。
From a security perspective can that token be saved in an HTTPOnly cookie or it should be kept only in memory?
从安全的角度来看,该令牌可以保存在 HTTPOnly cookie 中还是应该只保存在 memory 中?Exists a tested approach to achieve local persistence with django-rest-auth and react without implementing vulnerabilities in the website?
是否存在通过 django-rest-auth 实现本地持久性并在不在网站中实施漏洞的情况下做出反应的经过测试的方法?
1 个解决方案
解决方案1
2 已采纳 2021-01-29 07:50:50
Every method of storing token on the client-side has some weakness:在客户端存储令牌的每种方法都有一些弱点:
- storing the token in HTTPOnly cookie makes the application vulnerable to CSRF attack将令牌存储在 HTTPOnly cookie 中会使应用程序容易受到 CSRF 攻击
- storing the token in localStorage makes the application vulnerable to XSS attack将令牌存储在 localStorage 中会使应用程序容易受到 XSS 攻击
I'm personally using the localStorage to store token because it is convenient.我个人使用 localStorage 来存储令牌,因为它很方便。 React has built-in XSS prevention and you can additionally switch on CSP (Content Security Protection). React 具有内置的 XSS 预防功能,您还可以打开 CSP(内容安全保护)。 I write the article about my approach: https://saasitive.com/tutorial/react-token-based-authentication-django/ - the httpOnly vs localStorage discussion is at the end of the post.我写了一篇关于我的方法的文章: https://saasitive.com/tutorial/react-token-based-authentication-django/ - httpOnly 与 localStorage 的讨论在文章末尾。 There is also full tutorial how to start SaaS app with Django and React ( link ).还有完整教程如何使用 Django 和 React(链接)启动 SaaS 应用程序。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.