这是对用户进行身份验证的安全方式吗?
[英]Is this a secure way to authenticate users?
问题描述
I am running a small local HTTP server that allows me to manage config files via GET requests.
我正在运行一个小型本地 HTTP 服务器,它允许我通过 GET 请求管理配置文件。 However, this action should require a password, so I came up with the following solution:但是,此操作需要密码,因此我想出了以下解决方案:
Let's say the password is test123 .假设密码是test123 。 I hashed the password using SHA-512 and saved it to a.txt-file on my web server.我使用 SHA-512 对密码进行哈希处理,并将其保存到我的 web 服务器上的 .txt 文件中。 When I want to get the config file main.json , I would send this request:当我想获取配置文件main.json时,我会发送这个请求:
http://192.168.178.72/config.php?mode=get&file=main&password=test123
Is this a secure way of doing it?这是一种安全的方式吗?
2 个解决方案
解决方案1
1 已采纳 2021-04-16 11:01:00
No, because as you can see, the credentials are being displayed on the url, use POST instead.不,因为如您所见,凭据显示在 url 上,请改用 POST。
解决方案2
0 2021-04-17 22:32:31
No, you should use https instead and a POST request to avoid printing the passphrase in the url.不,您应该改用 https 和 POST 请求,以避免在 url 中打印密码。
As long as you use http, every connection or connection attempt could suffer under a man-in-the-middle attack.只要您使用 http,每次连接或连接尝试都可能受到中间人攻击。 Use of https and proper certificate pinning could avoid this使用 https 和正确的证书固定可以避免这种情况
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.