[英]How to make sure requests are from my website?
Some smartass people are using my api-centric web app to clone my service and make it appear like their own. 一些smartass人正在使用以api为中心的Web应用程序来克隆我的服务,并使它们看起来像自己的服务。 Is there a way to make sure all ajax requests are for/from my website? 有没有办法确保所有ajax请求都来自/来自我的网站?
Sure I could use the referrer header but they could easily fake it. 当然可以使用引荐来源标头,但他们可以轻松地伪造它。
Set a cookie on the client when it hits your site, before it sends any Ajax requests. 发送任何Ajax请求之前,请在客户端访问您的站点时在其上设置cookie。
Then validate the cookie when serving the Ajax. 然后在提供Ajax时验证cookie。
Or alternatively you could make your Ajax requests POST only. 或者,您可以使Ajax仅请求POST。 This way they are subject to the same origin policy. 这样,它们将受相同的原产地政策约束。
It will break the whole restful ideology though. 它将打破整个宁静的思想体系。
http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/Same_origin_policy
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.