保护AJAX请求的方法有哪些? [英] What are the ways to secure an AJAX request?

问题描述

我有一个客户端进行AJAX调用以对URL进行分类.它将调用myserver.php?url = facebook.com，服务器将响应社交.不涉及密码，只有URL字符串，服务器将为其返回类别.

I have a client that makes an AJAX call to categorize a URL. It will call myserver.php?url=facebook.com and the server would respond Social. There are no passwords involved and just a URL string for which the server would return a category.

我们为url类别构建了一个大型数据库，我不希望人们调用此API并窃取数据.如何确保我在服务器上收到的请求是我的客户端?是否会在服务器端为每个IP工作设置请求限制?

We have built a large database for url categories and I don't want people calling this API and stealing the data. What are the ways I can make sure that the request I'm getting at the server is my client? Would setting a request limits per IP work on the server side?

是否值得使用SSL(因为其中不涉及任何超安全的内容，而且我每分钟收到1000个请求)?我是数据安全新手，请就此进行指导.

Is it worth going to SSL (as there are no ultra-secure stuff involved and I get 1000s of requests a minute)? I'm a data security novice, so kindly guide me on this.

推荐答案

您最终无法从屏幕抓取中保护任何公共资源... CSRF 令牌明智的步骤是不要使用GET，而应使用POST.

Ultimately you cant secure any public resource from screen scrapping...Read More, but if your looking to just add a basic layer of protection from someone just scripting something that directly access's your sites API, then you can set a single use CSRF token on to the AJAX request, also a wise step is to not use GET and use POST instead.

这是一个简单的示例，在客户端加载页面后，您在会话中设置了一些令牌，并将令牌添加到AJAX:

Here's a quick example, upon the client loading the page you set some tokens into the session, and add the tokens to the AJAX:

<?php 
session_start(); 
$_SESSION['csrf_ajax_key'] = sha1(uniqid());
$_SESSION['csrf_ajax_val'] = sha1(uniqid());
?>
<!DOCTYPE html>
<html>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"></script>

<body>

<span id="result">Ajax response goes here...</span>

<script>
var request = $.ajax({
    type: "POST",
    url: "yourAPI.php",
    data: {"url":"facebook.com", "<?php echo $_SESSION['csrf_ajax_key'];?>":"<?php echo $_SESSION['csrf_ajax_val'];?>"}
});
request.done(function(response) {
    $("#result").html(response);
});
request.fail(function(jqXHR, textStatus, errorThrown) {
    console.log(textStatus, errorThrown);
});
</script>

</body>
</html>

然后在您的API上进行一些简单的检查，以检查密钥是否已设置，它是xmlhttprequest(AJAX)，并且是POST请求.然后取消设置会话密钥以停止多个请求，或者您可以为后续请求返回新密钥(如果进行轮询).

Then on your API do some simple checks to check that the keys are set, its a xmlhttprequest(AJAX) and is a POST request. Then unset the session keys to stop multiple requests or you could return new keys for subsequent requests (if your polling).

<?php 
session_start();

if(
    //Check required variables are set
    isset($_SESSION['csrf_ajax_key']) &&
    isset($_SESSION['csrf_ajax_val']) &&
    isset($_POST[$_SESSION['csrf_ajax_key']]) &&
    isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&

    //Check is AJAX
    strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest' &&

    //Check is POST
    $_SERVER['REQUEST_METHOD'] === 'POST' &&

    //Check POST'ed keys match the session keys
    $_SESSION['csrf_ajax_val'] == $_POST[$_SESSION['csrf_ajax_key']]
){
    //good - example
    if(isset($_POST['url']) && $_POST['url']=='facebook.com'){
        echo 'This is the response for facebook.com';
    }

}

//Unset to stop multiple attempts
unset($_SESSION['csrf_ajax_val'], $_SESSION['csrf_ajax_key']);
?>

虽然它不是100％，但会停止大多数运动.

Though its not 100% but will stop most.

这篇关于保护AJAX请求的方法有哪些?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！