保护Javascript Web App中的私有API密钥 [英] Securing Private API keys in Javascript Web App
问题描述
我已经对此进行了详尽的研究,但仍未找到可靠的答案或任何标准程序.
I've thoroughly researched this but am yet to find a solid answer or any kind of standard procedure.
我的API实现了HMAC身份验证,并且我站点的每个成员都有一个公共/秘密密钥来验证他们对API的使用并签署他们的请求.
My API implements HMAC authentication, and every member of my site has a public/secret key to authenticate their use of the API and sign their request.
在移动应用程序上,服务器将在成功登录请求后通过加密连接发送公钥/秘钥,以存储在设备上.随后的请求将使用这些密钥进行签名.
On a mobile app, the server would send the public/secret keys over an encrypted connection to be stored on the device after a successful login request. Subsequent requests would be signed using these keys.
在这种情况下,考虑到任何知道如何使用Web检查器的人都可以看到源代码,因此我应该将密钥存储在客户端的什么位置?实际上,如果经过身份验证的用户看到自己的密钥,这不是问题,因为他们不太可能像不会与其他任何人共享其帐户用户名/密码那样共享它们.
So where should I store the keys on the client in this case, considering that the source code is visible to anyone who knows how to use a web inspector? In reality it's not an issue if the authenticated user sees their own keys, as they're unlikely to share them just like they'd be unlikely to share their account username/password with anyone else.
将公共/秘密密钥存储在cookie中,并使用javascript进行检索-可能不太安全,当用户注销/会话结束时能否可靠地清除cookie?
Store the public/secret keys in cookies, and retrieve using javascript - Probably not too secure, can the cookies be reliably cleared when the user logs out/their session ends?
将公用密钥/秘密密钥存储在网页本身中-我能想到的唯一真正的解决方案-Javascript可以通过DOM访问密钥,并且只有在以下情况下它们才会被泄露(见)用户使他们的帐户保持登录状态,并且有人知道该在哪里寻找他们.
Store the public/secret keys in the web-page itself - Only real solution I can think of - Javascript can access the keys through the DOM, and they can only be compromised(seen) if the user leaves their account logged in, and somebody knows where to look for them.
注意: 该Web应用程序不是单页应用程序,因此不能将公钥/秘密密钥存储在内存中.
Note: The web app is not a single-page app, so storing the public/secret keys within the memory is not an option.
不知道我是否在正确的轨道上(某些事情告诉我我不在),希望有人可以让我直接这样做.
谢谢
推荐答案
我得出的结论是,我要在此防御的是CSRF.
I've come to the conclusion that what i'm trying to protect against here is CSRF..
我使用的是laravel,所以我的解决方案是在如此处所示.
I'm using laravel, so my solution was to add the csrf nonce (Session::token()) in the head as seen here.
<meta name="token" content="32947fh2834fgkhgfr8724234f">
并在请求标头中发送:
$.ajaxSetup({
headers: { 'session_token': '32947fh2834fgkhgfr8724234f' }
});
在授权api请求时,需要检查"session_token"标头并验证其真实性.如果session_token不存在,它将退回到HMAC检查.
When authorising the api request it's a case of checking for the 'session_token' header and validating it's authenticity. If the session_token isn't there it'll fall back to the HMAC check.
加上ssl,这应该足够了,想法吗?
Coupled with ssl this should be enough, Thoughts?
这篇关于保护Javascript Web App中的私有API密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
