如何在Django Rest Framework中保护用于注册和登录的API? [英] How to secure APIs for Registration and Login in Django Rest Framework?
问题描述
我去过,如今可能几乎每个使用Django Rest Framework创建REST API的Django Framework用户.我正在使用 django-rest-framework-jwt 进行令牌认证的方式当用户通过我们的其余API登录时,返回令牌.
I have been and nowadays may be almost every Django Framework users using Django Rest Framework for creating REST APIs. I am using it with token authentication using django-rest-framework-jwt and it returns the token when User logged in through our rest API.
所以问题是如何保护API端点的任何注册或登录视图.任何高级XSS脚本都可能具有恶意循环来创建注册.如何在Django Rest Framework中保护它?
So the question is how to secure any registration or login views for our API endpoints.Any high-level XSS scripts can have malicious looping for creating registrations.How can we secure it in Django Rest Framework ?
推荐答案
如前所述,您不能拥有像JWT这样的身份验证系统来保护您的页面(如登录和注册).但是,您还可以执行许多其他操作.下面我简要地提到了其中两个,以帮助您入门和休息,您可以详细学习.
As you have stated, you cannot have an authentication system like JWT protect your pages like login and registration. However there are many other things you can do. Below I have mentioned two of them briefly to get you started and rest you can study in detail.
- 首先解决XSS问题-
某些浏览器能够阻止看似XSS攻击的内容.它们通过在页面的GET或POST参数中查找JavaScript内容来工作.如果服务器响应中重播了JavaScript,则该页面将无法呈现,而是显示错误页面.X-XSS-Protection标头用于控制XSS过滤器的操作.
Some browsers have the ability to block content that appears to be an XSS attack. They work by looking for JavaScript content in the GET or POST parameters of a page. If the JavaScript is replayed in the server’s response, the page is blocked from rendering and an error page is shown instead. The X-XSS-Protection header is used to control the operation of the XSS filter.
实施
Django提供了在settings> base.py中添加的中间件和设置中间件:
Django provides middleware and settings added in settings>base.py Middleware:
django.middleware.security.SecurityMiddleware
设置:
SECURE_BROWSER_XSS_FILTER = True
This sets header to X-XSS-Protection: 1; mode=block
您可以做的其他防止某些脚本重复访问登录页面或注册页面的操作是-
Other things you can do to prevent some script from hitting your login or registration pages repeatedly is -
- 蛮力攻击
安全问题
一个自动程序可能会攻击来窃取用户的用户名和密码或降低服务器速度.
An automated programme may attack to hack username and password of a user or to slow down the server.
这些攻击通常采取以下几种形式之一:1.一个IP地址尝试一个具有多个密码的用户名.2.许多IP地址尝试使用一个具有多个密码的用户名.3.一个IP地址尝试许多用户名和一些通用密码.4.许多IP地址尝试使用一个或几个常用密码的许多用户名.5.攻击域中的任何随机URL,以减慢服务器响应.
These attacks generally take one of a few forms: 1. One IP address trying one username with many passwords. 2. Many IP addresses trying one username with many passwords. 3. One IP address trying many usernames with a few common passwords. 4. Many IP addresses trying many usernames with one or a few common passwords. 5. Attacking on any random url on domain to slow down the server response.
实施
Django Rest Framework提供了用于节流的内置设置
Django Rest Framework provides inbuilt settings for throttling
REST_FRAMEWORK = {
...
'DEFAULT_THROTTLE_CLASSES': (
'rest_framework.throttling.AnonRateThrottle',
'rest_framework.throttling.UserRateThrottle',
'rest_framework.throttling.ScopedRateThrottle',
),
'DEFAULT_THROTTLE_RATES': {
'anon': '60/minute',
'app1': '10000/day',
'app2': '10000/day',
},
...
}
另一种解决方案是django-defender或django-ratelimit,用于仅防止失败的登录尝试.
Another solution is django-defender or django-ratelimit for preventing only for failed login attempts.
希望有帮助.
这篇关于如何在Django Rest Framework中保护用于注册和登录的API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!