简体繁体 English

安全的地方保存代码

[英]safe place to save code

原文 2009-11-08 03:58:03 3 3 php/ javascript

Where is the most secure place to store sensitive code on a server (ex, authorization php, contact scripts, sensitive or protected javascript)? 哪里是在服务器上存储敏感代码的最安全的地方（例如，授权php，联系脚本，敏感或受保护的javascript）？

You guys/girls got any tips or tricks on how to protect that kind of stuff? 你们/女孩们对如何保护这类东西有任何提示或技巧？

3 个解决方案

You can use .htaccess to cut off remote access to PHP scripts (of course, you'll still be able to access them locally with server-side include). 您可以使用.htaccess来切断对PHP脚本的远程访问（当然，您仍然可以使用服务器端include在本地访问它们）。 I presume your contact scripts are also PHP scripts. 我假设您的联系脚本也是PHP脚本。 They can be handled this way too. 他们也可以这样处理。 Either way, if PHP works on your server, even if a user knew the location of a PHP file, they wouldn't be able to see the source code anyway. 无论哪种方式，如果PHP在您的服务器上运行，即使用户知道PHP文件的位置，他们仍然无法看到源代码。 This only prevents certain unauthorized execution. 这仅防止某些未经授权的执行。

Regarding sensitive or protected Javascript, you can use a JS compressor like this to obfuscate the code, but since JS is executed client-side, the user will be able to see whatever source code you give him. 对于敏感的或受保护的Javascript，你可以使用JS压缩机像这种混淆的代码，但由于JS执行的客户端，用户将能够看到任何的源代码，你给他。

Some observations 一些观察

The problem you have is that in order to use any of this code, it needs to be readable by whatever process is using it (typically the webserver). 您遇到的问题是，为了使用任何此代码，任何正在使用它的进程（通常是Web服务器）都需要它可读。 That fact alone really makes it impractical to get extra security, unless you can resort some type of queued offline processing. 除非您可以采用某种类型的排队离线处理，否则仅凭这一事实确实使得获得额外的安全性变得不切实际。

Rule #1 - keep it out of the DocumentRoot (unless it should be there) 规则＃1 - 将其保留在DocumentRoot之外（除非它应该在那里）

Rule #2 - run your own server (or VPS), and keep other people off of it 规则＃2 - 运行您自己的服务器（或VPS），并让其他人远离它

Rule #3 - lock the box down tight - port 22 (from specific IPs) and 80/443 from global 规则＃3 - 将盒子紧紧锁定 - 端口22（来自特定IP）和80/443来自全局

PS. PS。 JavaScript is executed in the web browser - there is not much you can do to secure it (other than obscure it), nor should you have to (eg. NOT trusting external data is rule #0). JavaScript在Web浏览器中执行 - 您可以做很多事情来保护它（除了模糊它），也不必（例如，不信任外部数据是规则＃0）。

Another tactic is to store such PHP scripts above the public web folder. 另一种策略是将这些PHP脚本存储在公共Web文件夹上。 Your scripts can still access them. 您的脚本仍然可以访问它们。 I often use this for data that I want to make available to logged in users for download. 我经常将此用于我希望登录用户下载的数据。 I have to make a script specifically to retrieve and send them the data, when it's needed, but nobody can access that data unless they are logged in and the script sends it to them. 我必须专门制作一个脚本，以便在需要时检索并发送数据，但除非他们已登录并且脚本将其发送给他们，否则任何人都无法访问这些数据。

With your scripts, it's even simpler - you don't make a means to access them. 使用您的脚本，它甚至更简单 - 您无法访问它们。 Your own scripts can include them, of course, and using .htaccess to control access is another worthwhile step. 当然，您自己的脚本可以包含它们，并且使用.htaccess来控制访问是另一个有价值的步骤。