REST API客户端仅在HTML / JS中
[英]REST API Client only in HTML / JS
问题描述
是否可以仅针对REST API在HTML / JS中创建客户端并阻止CSRF?
1 个解决方案
解决方案1
1 2012-05-31 16:33:02
It's possible. 
这是可能的。
CSRF prevention is usually made for simple websites, not APIs, since APIs are generally intended to be accessed by other websites. CSRF预防通常是针对简单网站而不是API进行的,因为API通常旨在由其他网站访问。 Hidden crumbs and tokens, which are the most common way to prevent this kind of attack, won't work properly on consumable APIs. 隐藏的碎屑和令牌是防止这种攻击的最常见方法,在消耗性API上无法正常工作。
What you probably need is a good main authentication mechanism. 您可能需要的是一种良好的主身份验证机制。 One of the main weaknesses of web applications vulnerable to CSRF are cookies. 易受CSRF攻击的Web应用程序的主要弱点之一是cookie。 If your API doesn't need them, using another auth mechanism (like OAuth or HTTP Digest) may be the answer, so external users can still use the API safely (without nasty crumb verifications). 如果您的API不需要它们,则可以使用其他身份验证机制(例如OAuth或HTTP Digest)来解决,因此外部用户仍然可以安全地使用该API(无需进行讨厌的验证)。
Both HTTP Auth Basic and OAuth 2.0 are feasible under JS client applications. 在JS客户端应用程序下,HTTP Auth Basic和OAuth 2.0都是可行的。 There is a demo for OAuth2 here: https://gist.github.com/563893 这里有OAuth2的演示: https : //gist.github.com/563893
Twitter uses its own public API inside the main website, so there is proof that something like this is possible, although I'm not sure how specifically they prevent external CSRF. Twitter在主要网站内部使用了自己的公共API,因此有证据表明,像这样的事情是可能的,尽管我不确定它们具体如何阻止外部CSRF。 Every request is made by a receiver (located here: https://api.twitter.com/receiver.html ) and authorization tokens are tunneled by cookies. 每个请求都是由接收方发出的(位于此处: https : //api.twitter.com/receiver.html ),授权令牌由cookie传输。 You'll probably need to research their implementation further. 您可能需要进一步研究其实现。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.