角REST API安全 [英] Angular REST API security
问题描述
我有我的应用程序的问题,当我用角来使用REST API请求
I have issue with my app when I use Angular to consuming REST API request
Web服务的URL存储在服务角或控制器JS文件
所以,如果我已经登录Web服务来检查像USENAME和密码:
The Web Service URLs store in the Angular service or controller js file so if I have Login web service to check usename and password like:
http://mylocal.com/api/service.json? api_user =用户名和放大器; API_KEY =密码
最终用户和开发者可以得到这个URL,并建立一个软件来尝试寻找用户名和密码,因此如何隐藏JS角Web服务的URL是否可能?
The end users or developers can get this url and build a software to try finding the username and password, so how to hide the web services urls in angular js if that possible?
例如:
$scope.submit = function(request) {
$scope.contactUsSuccess = false;
$http.post('/_/contactUs' +
"?firstName=" + encodeURIComponent(request.first) +
"&lastName=" + encodeURIComponent(request.last) +
"&email=" + encodeURIComponent(request.email) +
"&phone=" + encodeURIComponent(request.phone) +
"&company=" + encodeURIComponent(request.company) +
"&message=" + encodeURIComponent(request.message)
) // Contact us
.success(function(reply){
console.log(reply);
$scope.contactUsSuccess = true;
$scope.contactUs = "";
})
.error(function(){
alert('There seemed to be a problem with your submission. Please refresh the page and try again.')
});
};
您可以联系网址Web服务,使用它,所以我怎么能解决这个问题呢?
You can get the contact url web service and use it, so how can i solve this issue?
推荐答案
首先,这是非常糟糕的,如果你这样做了 HTTP 并没有 HTTPS 。发送此通过HTTP发送您的凭据text / plain的任何人都可以嗅出抢在网络上。
First off this is really bad if you're doing this over HTTP and not HTTPS. Sending this over HTTP sends your credentials in text/plain for anyone to sniff and grab on the network.
我假设他们不使用特定的防火墙规则,无论是。
I'm assuming they are not using specific firewall rules either.
由于您处理的REST端点,可以发起REST调用在几个不同的方式:
Because of the REST endpoint you're dealing with, you could initiate the REST call in a few different ways:
- 设置有它的pre定义的用户名/密码对的HTTP(S)代理。通过这种方式,而不是调用 https://someremoteapp.com/user=joe&pass=test你可以调用/休息
- 可能是更好的选择是建立一个后端代理服务,此API工作和隐藏后端的凭据。为此,您可以使用类似PHP和Ruby,Python和Node.js的...
- 最好的办法是问他们是否支持其他安全机制。
- Setup an HTTP(S) proxy that has that pre-defined username/password pair in it. That way instead of calling https://someremoteapp.com/user=joe&pass=test you could call /rest
- Probably the better option is to setup a back-end forwarder service to work with this API and hide the credentials on the back-end. You can do this using something like PHP, Ruby, Python, Node.JS...
- Best option is to ask if they support other security mechanism.
这篇关于角REST API安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!