如何在客户端应用程序中隐藏customerid [英] How to hide customerid in a client side application

问题描述

我有一个使用api的角度单页应用程序，我必须将客户ID作为参数传递给客户端数据，但这不安全，因为clientid在前端暴露，任何人都可以轻松更改用户ID和传递参数，他将获得其他客户数据。如何保护它，以便没有人能看到其他客户数据。



我尝试过：



对它进行了研究，发现了一些方法，但需要最佳实践才能做到这一点。

I have an angular single page application which uses an api ,i have to pass customer id as parameter to get client data , but this is not secure since clientid is exposed at front end and any one can easily change the user id and pass in a parameter and he will get other customer data. How can i secure it so that no one can see other client data.

What I have tried:

Researched on it and found few ways but need best practice to do this.

推荐答案

你所描述的是一个不安全的直接对象参考：

十大2013-A4-Insecure直接对象参考 - OWASP [ ^ ]



使用序号来访问不同记录的数据使得攻击者猜测其他用户数据的URL是微不足道的。



您可以通过添加 GUID [ ^ ]记录的关键，只使用该键检索数据。



但是唯一的 real 解决方案是为您的代码验证发出请求的用户是否有权访问所请求的数据。如何操作取决于您的数据库结构和身份验证机制。

What you've described is an Insecure Direct Object Reference:
Top 10 2013-A4-Insecure Direct Object References - OWASP[^]

Using a sequential number to access data for different records makes it trivial for an attacker to guess the URL for other users' data.

You can make their life harder by adding a GUID[^] key to the record, and only using that key to retrieve the data.

But the only real solution is for your code to validate that the user making the request has permission to access the data being requested. How you do that will depend on your database structure and authentication mechanism.

@ Html.HiddenFor（model => model.Id）

@Html.HiddenFor(model=>model.Id)

这篇关于如何在客户端应用程序中隐藏customerid的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！