在Javascript客户端中隐藏基本身份验证凭据 [英] Hide basic auth credentials in Javascript client

问题描述

我需要从我的客户端javascript代码中发出一个ajax请求，以使用jQuery将一些数据发布到后端.

I need to make from my client side javascript code an ajax request posting some data to the backend with jQuery.

$.ajax({...});

JavaScript代码可以由各种客户端嵌入，因此我在后端启用了CORS，请求可以正常进行. 后端受Basic Auth保护，并且auth标头存储在javascript客户端中.

The Javascript code can be embedded by various client so I enabled CORS on my backend and the requests go fine. The backend is protected by an Basic Auth and the auth header is stored in the javascript client.

如何保护后端，以便只有我的客户才能发布数据并阻止其他任何人这样做.

How can I protect my backend so only my client can post data and prevent any other people from doing this.

推荐答案

您不能在JavaScript中存储机密.如果没有至少用户不能访问的用户名和密码，就无法保留用户名和密码(F12调试工具).即使使用 JavaScript加密，您仍然需要存储客户端上某个容易找到的秘密密钥.

You can't store secrets in JavaScript. There's no way you can hold on to a username and password without at least the user being able to get to them (F12 debugging tools). Even if were to use JavaScript encryption, you'd still need to store the secret key somewhere on the client where it can easily be discovered.

即使您信任用户， XSS 攻击也可能泄漏此用户名和密码信息发给攻击者.

And even if you trust the user, XSS attacks may leak this username and password info to an attacker.

这就是为什么OAuth 2.0在隐式授予中使用短暂访问令牌的原因与公共客户打交道.

That's why OAuth 2.0 uses short lived access tokens in an implicit grant to deal with public clients.

这篇关于在Javascript客户端中隐藏基本身份验证凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！