在混合应用程序中,如何确认只有您的应用程序正在访问服务器端页面 [英] In hybrid app, how to confirm that only your app is accessing the server-side pages
问题描述
混合应用显然很新,因此很难找到有关此方面的好信息。我知道我需要在我的服务器端页面上允许跨源共享资源,但这显然增加了安全漏洞。在phonegap / cordova应用程序上,我仅具有客户端控制,并且具有对服务器端页面的ajax调用。这意味着任何人都可以访问我的php页面。这意味着任何人都可以通过访问我的所有数据(例如帐户信息等)来模仿我的应用程序。我的问题是如何确认只有我的应用程序正在访问这些页面?请提供具体的编码示例。
Hybrid apps are obviously a bit new, so it's hard to find good information on this. I know that I need to allow cross origin resource sharing on my server side pages, but this clearly adds a security flaw. On a phonegap/cordova app, I only have client-side control with ajax calls to my server-side page. This means that anyone can access my php pages. This means that anyone can essentially mimic my app by accessing all my data like account info, etc. My question is how can I confirm that only my app is accessing these pages? Please provide specific coding examples.
推荐答案
在这篇博客文章中,我回答了您的问题,以及许多其他类似的问题:客户端真实性不是服务器的问题。
I answered your question, and many others like it, in this blog post: Client authenticity is not the server's problem.
应用安全性的最基本规则之一是输入验证。该规则之所以如此重要,是因为您的服务器仅对其自身上运行的软件具有控制(和可见性)。互联网上的所有其他设备都是一个黑匣子,您可以通过网络协议与之通信。您看不到它在做什么,只看到它发送的消息。
One of the most basic rules of application security is input validation. The reason this rule is so fundamental is because your server only has control (and visibility) over the software running on itself. Every other device on the Internet is a black box that you can communicate with over networking protocols. You can't see what it's doing, you only see the messages that it sends.
...
服务器应与客户端无关。
The server should remain agnostic to the client.
客户端上的软件和客户端上的软件服务器之间应该互不信任。服务器收到的任何消息均应经过验证,以确保正确性并谨慎处理。如果可以的话,永远不要将数据与代码混合。
The software on the client and the software on the server should have a mutual distrust towards each other. Any messages that the server receives should be validated for correctness and handled with care. Data should never be mixed with code if you can help it.
...
收获是:与其试图控制用户,不如着重于使他们的行为与服务器的稳定性和完整性无关紧要。
The take-away is: Instead of trying to control your users, focus on making their misbehavior inconsequential to the stability and integrity of your server.
这篇关于在混合应用程序中,如何确认只有您的应用程序正在访问服务器端页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
