保护Express API [英] Securing Express API
问题描述
我正在编写一个具有独立的前端和后端的Web应用程序.前端是用React编写的,后端是运行Express端点的node.js服务器.如何确保只有我的前端可以访问API,其他人不能访问?我的API URL公开在我的前端客户端代码中,因此任何人都可以看到.
I'm writing a web app with a separate frontend and backend. The frontend is written in React, and the backend is a node.js server running an Express endpoint. How do I ensure that only my frontend can access the API, and not anyone else? My API URL is exposed in my frontend client side code, so anyone can see that.
我在我的API中添加了JWT身份验证,但是我仍然需要一个不受保护的/login端点才能生成JWT令牌,并且要登录才能生成该令牌,我必须同时发布我的用户名和密码前端,其他用户可以看到,因为它是从客户端完成的.
I added JWT authentication to my API, but I still need to have an unprotected /login endpoint in order to generate the JWT token, and in order to login to generate the token, I must post both a username and password from my frontend, which other users can see, since it's done from the client side.
保护像这样的单独后端托管的API的正确方法是什么,以便只有我的前端才能访问它,而没人能看到正在使用什么凭据来访问终结点?
What is the proper way of securing an API that is hosted on a separate backend like this, so that only my frontend can access it, in a way where nobody can see what credentials are being used to access the endpoint?
推荐答案
您不能.您的API在互联网上.任何人都可以访问它.在允许访问API之前,您可以要求一个帐户和该帐户的登录凭据,但是一旦某人拥有一个帐户和凭据,他们就可以通过自己的脚本而不是通过您的网页访问API.网络就是这样运作的.您对此无能为力.客户端使用的凭据无法隐藏.客户端上的黑客可以查看客户端上所有EVER的数据.这就是网络的方式.
You can't. Your API is on the internet. Anyone can access it. You can require an account and login credentials for the account before allowing access to the API, but once someone has an account and credentials, they can access the API from their own script rather than via your web page. This is how the web works. Not much you can do about it. And credentials being used by the client cannot be hidden. All data that is EVER on the client can be looked at by a hacker on the client. This is the way of the web.
大型公司通常会监视其API使用情况,以查找不当使用情况.这包括速率限制,检测行为和序列,这些行为和序列不是普通人类用户所特有的.当他们发现使用不当时,通常会暂时或永久禁用该操作或禁止违规帐户.这也是为什么某些页面使用技术来检测实际的人是否正在单独引起该操作的原因,例如reCaptcha.例如,在堆栈溢出时,在编辑评论或帖子时,我经常遇到限速的情况,它告诉我必须等待一段时间才能接受编辑.
Larger companies will typically monitor their API usage to look for inappropriate use. This includes rate limiting, detecting behaviors and sequences that are not typical of a regular human user. When they detect inappropriate use, they will often disable that action or ban the offending account, either temporarily or permanently. This is also why some pages use techniques to detect if an actual human is individually causing the operation such as reCaptcha. For example, on stack overflow, when editing comments or posts, I often run into rate limiting where it tells me that I have to wait a bit before it will accept my edit.
没有绝对安全的方式将凭据存储在客户端中.凭据的最常见方案是要求用户名和密码(安全地通过https),然后在服务器上将其作为合法凭据接受时,会向客户端发出某种令牌,该令牌可用于将来的API调用.该令牌可能位于cookie中,或者可能需要手动包含在每个后续API调用中(使用浏览器中的API时cookie的优点在于,cookie是随每个后续请求自动发送的.)
There is no absolutely secure way to store credentials in a client. The most common scheme for credentials is to require username and password (securely over https) and then when that is accepted on the server as legit credentials, some sort of token is issued to the client which can be used for future API calls. That token may be in a cookie or may need to be manually included with each subsequent API call (the advantage of a cookie when using APIs from a browser is that the cookie is automatically sent with each subsequent request).
如果令牌是cookie,则该cookie将存储在浏览器的cookie存储中,并且可以为其设置到期时间.浏览器的cookie存储受到保护,不能被其他站点的网页访问,但是可以由本地计算机上的某人访问(存储在文件系统中).
If the token is a cookie, then the cookie is stored in the browser's cookie storage and an expiration can be set for it. The browser's cookie storage is protected from access by web pages from other sites, but can be accessed by someone on the local computer (it's stored in the file system).
如果令牌不是cookie,只是作为令牌返回,并且客户端希望存储它,那么Javascript还提供了其他一些访问位置来存储它.本地存储具有与Cookie存储类似的安全性.可以防止其他网站访问它,但是可以由本地计算机上的人访问.
If the token is not a cookie, just returned as a token, and the client wishes to store it, there are a few other places that Javascript provides access to in order to store it. Local storage has similar security as cookie storage. It is protected from access by other web sites, but can be accessed by a person on the local computer.
这篇关于保护Express API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
