Rails + Android中的Authenticity_token [英] Authenticity_token in Rails + Android

问题描述

我正在开发一个与Rails服务器通信的Android应用程序.我不想忽略authenticity_token，但我也不认为要求它是正确的答案.如何保护我的POST请求?

I am developing an Android application that communicates with a rails server. I don't want to ignore the authenticity_token but I also don't think asking for it is the right answer. What can be done to protect my POST requests?

推荐答案

在使用API​​时，像在Android应用程序中一样，要求提供真实性标记并不常见.这是因为生成了真实性令牌，以防止跨站点请求伪造攻击，仅适用于会话...通常，如果您访问的是API，则您不会(或无法)使用会话.因此，我在这里不必太担心生成真实性令牌.

It's uncommon to require authenticity tokens when you use an API, as you would for an Android application; this is because authenticity tokens are generated to protect against cross-site request forgery attacks, which are only possible with a session... and usually if you're accessing an API you don't (or can't) use a session. So I wouldn't be too concerned about generating authenticity tokens here.

要保护您的POST(或实际上是任何请求)，您可以使用许多选项.最简单的方法是使用 HTTP基本对每个请求进行身份验证，但更为复杂，但可以说，更安全的做法是实施 OAuth .两种方式都可以为使用您的应用并连接到您的网站的人们提供一定的安全性.

To protect your POSTs -- or indeed any request -- there are a number of options available to you. Simplest would be to authenticate each request with HTTP basic, and more complicated but arguably more secure would be to implement OAuth. Either way would provide some security for people using your app and connecting to your website.

这篇关于Rails + Android中的Authenticity_token的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！