堆栈内存溢出
  简体   繁体   English

如何只接受来自客户端的请求

[英]How to accept requests only from the client

 原文  2022-07-14 17:17:15       node.js/ ajax/ http/ security

问题描述

I'm doing my own project.我正在做我自己的项目。 A simple game on VueJS .一个简单的VueJS游戏。 And it has registration on JWT .它已在JWT上注册。 When the user wins/loses, the client sends a corresponding request to the backend to increase the number of wins/defeat in the database.当用户获胜/失败时,客户端向后端发送相应的请求,以增加数据库中的获胜/失败次数。

Making endpoints for this, I realized that I can restrict access to my API to other resources using CORS BUT After all, the user can get his jwt access token from the localStorage or view it in other requests in the network tab.为此制作端点,我意识到我可以使用CORS限制对我的 API 的访问,毕竟,用户可以从localStorage获取他的jwt access token或在网络选项卡的其他请求中查看它。 And looking in the same tab, what the request sent when winning looks like, send the same request from the browser console using fetch with the token he received earlier.在同一个选项卡中查看获胜时发送的请求是什么样的,使用fetch从浏览器控制台发送相同的请求,并使用他之前收到的令牌。 This way he will be able to increase the number of wins without playing the game.这样,他将能够在不玩游戏的情况下增加获胜次数。 And CORS will not block this request in any way, because the header Origin will be the same.并且CORS不会以任何方式阻止这个请求,因为 header Origin将是相同的。

And so the question is: how can my API accept requests only sent by my game ( axios )所以问题是:我的 API 如何接受仅由我的游戏( axios )发送的请求

1 个解决方案

解决方案1
 1 已采纳  2022-07-14 19:19:34

Unfortunately, this isn't possible.不幸的是,这是不可能的。 As you've noticed, you can send requests straight from the browser console.如您所见,您可以直接从浏览器控制台发送请求。 Moreover, you can change the javascript code during runtime, so you can't even trust your own code.此外,您可以在运行时更改 javascript 代码,因此您甚至无法信任自己的代码。 So the only solution is to change the way your application works.所以唯一的解决方案是改变你的应用程序的工作方式。
The only source of truth is your server and from there you can decide which player wins or loses.唯一的真实来源是您的服务器,您可以从那里决定哪个玩家赢或输。 Each turn should be signalised to the server by sending a request or a WebSocket message.每个回合都应通过发送请求或 WebSocket 消息向服务器发出信号。 When the game finishes, the server should then send a message to your client reporting the score.游戏结束后,服务器应向您的客户端发送一条消息,报告得分。
In the case of a single-player game, you should verify the player score on the server side by sending all the required information.在单人游戏的情况下,您应该通过发送所有必需的信息来验证服务器端的玩家得分。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 仅接受NodeJS和Express中大量请求中的第一个请求 - Accept only first request from a bulk of requests in NodeJS and Express 如何从客户端向服务器发出异步请求? - how to make async requests from client to server? 如何仅从我的 API 服务器接受 cookies - How to accept cookies only from my API server 如何隐藏来自客户端 react js 网站的请求 - How to hide requests from a client react js website Nginx 如何处理来自 nodejs 作为客户端的传出请求? - How Nginx handles outgoing requests going from nodejs as a client? 无法从前端客户端向本地节点服务器发出 fetch post 请求,只有 GET 请求有效 - Cant make a fetch post request from front end client to local node server, only GET requests work 如何配置AWS EC2实例中的Node.js以接受来自客户端的HTTPS请求 - How to configure Nodejs that is in AWS EC2 Instance to accept HTTPS request from client side 允许远程服务器通过参数接受来自本地主机的请求 - Allow remote server to accept requests coming from localhost with params 如何保护公共nodejs api仅对来自前端的请求 - how securing a public nodejs api to only requests from the frontend 如何在Node JS中接受大量的API请求 - How to accept Huge amount of API requests in Node JS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM