防止篡改客户端地理编码结果 [英] Prevent tampering with client-side geocoding results

问题描述

我们正在构建使用基于位置的定价的服务.用户可以输入地址并查看由各种服务器端算法确定的其所在地区的价格.然后可以根据这些价格订购商品.

We are building a service that uses location-based pricing. The user can input an address and see prices in his area as determined by various server-side algorithms. It is then possible to order items based on these prices.

我正在尝试确定是否有一种方法可以在这种情况下使用客户端地理编码(以避免达到Google Maps API使用限制)，例如用户输入其地址，浏览器就会使用JS库获取地址解析结果，并将其包含在表单提交中.问题在于，用户可能会篡改表单提交，并有可能向其地址下达适用于一组不同坐标的价格的订单.

I'm trying to figure out if there is a way we can use client-side geocoding in this scenario (to avoid hitting Google Maps API usage limits), e.g. the user enters his address and the browser fetches the geocode result using the JS library and includes it in the form submission. The problem is that the user could tamper with the form submission and potentially place orders to his address for prices that apply to a different set of coordinates.

我想听听您对我如何获得此建议的建议.例如，如果可以以某种方式对地理编码结果进行签名以验证它是否未被篡改，那将是令人惊讶的事情.

I'd like to hear your suggestions about how I can secure this. For example, it would be amazing if the geocode result could be signed somehow to verify that it hasn't been tampered with?

推荐答案

如果您希望客户端计算机执行请求，则在安全性方面会受到一些限制，因为它们全都是javascript，恶意用户可以检查脚本并查看您的操作.因此，即使试图确保"成功，也将受到限制.

If you want the client machine to do the request, you are going to be a bit limited in the security aspect of this, as it would all be javascript, and a malicious user could inspect the script and see what you are doing. Therefore even attempts at "securing" it would be limited in success.

我唯一的建议是在用户提交结果时在服务器端进行最终验证".这样可以减少服务器端的API攻击，但可以使安全性100％有效.

My only recommendation would be to do a "final validation" serverside just as the user is submitting their results. This should reduce the API hits on your server side, but will keep the security 100% valid.

这篇关于防止篡改客户端地理编码结果的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！