简体繁体 English

保护Web App数据源的想法

[英]Ideas on Protecting Web App data sources

原文 2010-07-25 01:08:51 5 3 javascript/ web-applications/ obfuscation/ client-side

I'm working on a new web app where a large amount of content (text, images, meta-data) is requested via an Ajax request. 我正在开发一个新的Web应用程序，该应用程序通过Ajax请求请求大量的内容（文本，图像，元数据）。

No auth or login required for a user to access this. 用户无需身份验证或登录即可访问它。

My concern is that you could easily lookup the data source URL and hit it directly outside the app to get large data. 我担心的是，您可以轻松地查找数据源URL，并直接在应用程序外部将其命中以获取大数据。 In some ways, if you can do this you could probably scrape the static HTML pages elsewhere that also have this content. 在某些方面，如果您可以执行此操作，则可能会在其他也包含此内容的地方抓取静态HTML页面。

Are there any suggestions on methods to obfuscate, hide, or otherwise make it very difficult to access the data directly? 是否有关于混淆，隐藏或以其他方式使直接访问数据变得非常困难的方法的建议？

Example: web app HTML page contains a key that is republished every 30 min. 示例： Web应用程序HTML页面包含一个密钥，该密钥每30分钟重新发布一次。 On the server side the data is obfuscated based on this key. 在服务器端，根据此密钥对数据进行混淆。 In order to get the data outside the app you'd need to figure out the data source but also the extra step of scraping the page for a key every 30 min. 为了将数据获取到应用程序外部，您需要找出数据源，还需要额外的步骤，即每30分钟抓取一次页面。

I realize there is no 100% way to stop someone, but I'm talking more about deterrence. 我意识到没有100％的方法可以阻止某人，但是我在谈论更多关于威慑的话题。

3 个解决方案

Use sessions in your webapp. 在您的Web应用程序中使用会话。 Make a note (eg database entry or some other mechanism which your server-side code can access) when a valid request for the first page is received and include code in the second page to exclude the data when processing a request without a corresponding session entry. 当收到对第一页的有效请求时，记下一个注释（例如，数据库条目或服务器端代码可以访问的某种其他机制），并在第二页中包含代码以在处理没有相应会话条目的请求时排除数据。

Obviously the specifics on how to do this will vary between languages, but most robust web platforms will support sessions, largely for this type of reason. 显然，不同语言之间如何执行此操作的细节有所不同，但是大多数健壮的Web平台将支持会话，主要是出于这种原因。

If you are wanting to display real-time data and are concerned about scrapers...if this is a big enough concern, then I suggest doing it with flash instead of JS (AJAX). 如果您想显示实时数据并且关注刮板...如果这是一个足够大的问题，那么我建议使用Flash而不是JS（AJAX）进行处理。 Have the data display withing a flash object. 使数据与Flash对象一起显示。 Flash can make real-time send/receive requests to the server just like AJAX. Flash可以像AJAX一样向服务器实时发送/接收请求。 But the benefit of Flash is that the whole stage, data, code, etc.. are within a flash object, which cannot be scraped. 但是Flash的好处是，整个阶段，数据，代码等都在Flash对象中，不能被抓取。 Flash object makes the request, you output the stuff as a crypted string of code. Flash对象发出请求，然后将内容作为加密的代码字符串输出。 Decrypt it within flash and display from there. 在Flash中解密它并从那里显示。

"Are there any suggestions on methods to obfuscate, hide, or otherwise make it very difficult to access the data directly?" “是否有关于混淆，隐藏或以其他方式使其很难直接访问数据的方法的建议？”

Answers your own question because if the data is worth getting it will be obtained because you are obfuscating is merely making it harder to find. 回答您自己的问题，因为如果您混淆了数据，那么将获得数据是否值得，这只会使查找变得更加困难。

You could in the server side script processing the ajax and returning the data check where the request came from. 您可以在服务器端脚本中处理ajax并返回请求来自何处的数据检查。