jwt:为什么我的令牌显示在Chrome DevTools中? [英] jwt: Why is my token shown in Chrome DevTools?

问题描述

我在Express.js中有一个API，它将创建博客文章并将其添加到我的数据库中.当我从DevTools内部的React应用发出请求时，它将显示我的JWT.我担心当我的网站上线时，人们会看到我的令牌，并从他们的网站发出添加不需要的帖子的请求.请告诉我发生了什么事以及如何防止安全错误.

I have a API in Express.js that will create blog posts and add them to my database. When I make a request from my React app inside of DevTools it will show my JWT. I am worried that when my site goes live people can see my token and make a request from their site to add unwanted posts. Please tell me what is going on and how I can prevent the security error.

推荐答案

在标题中发送带有令牌的请求时，它将在开发人员工具的标题窗格中如下所示:

When you send a request with a token in the header it will look like this in the header pane in Developer Tools:

我想这就是您想知道是否安全的原因.

I assume that's what you are wondering whether is safe or not.

使用普通HTTP时，React应用程序和API之间的连接未加密.这使得重播攻击成为可能–前端或API之间的ISP或其他服务器可以读取令牌，然后假装自己成为读取令牌.

The connection between the React app and the API is unencrypted when you are using ordinary HTTP. That makes a replay attack possible – an ISP or another server between the front-end and the API can read the token and pretend to be you later on with the read token.

最重要的解决方案是使用HTTPS，它是加密的HTTP.使用HTTPS时，潜在的攻击者无法嗅探和窃取令牌.在处理用户名，密码等时，应始终使用HTTPS.

The most important solution to that is to use HTTPS, which is encrypted HTTP. Potential attackers are unable to sniff and steal the tokens when you are using HTTPS. When you are dealing with usernames, passwords, etc., you should always use HTTPS.

HTTPS是免费使用的，并且设置起来不是很困难.有关更多详细信息，请参见此处.在此处，您可能会进行有趣的讨论想阅读.

HTTPS is free to use and not very hard to set up. See here for more details. There is also an interesting discussion here that you might want to read.

这篇关于jwt:为什么我的令牌显示在Chrome DevTools中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！