如何防止非浏览器客户端将请求发送到我的服务器 [英] How to prevent non-browser clients from sending requests to my server
问题描述
我最近使用nginx在同一个vps上部署了网站和后端,但是现在当我与PostMan请求
I've recently deployed my website and my back-end on the same vps, using nginx, but now when I do a request with PostMan to http://IP:port/route - I get the response from the server from any PC. I think this not how its suppose to work. I set the CORS options to origin : vps-IP (so only my domain), but my server still accepts the requests from PostMan. Is there any way to prevent my back-end from accepting these requests limiting the domain to only my domain AKA my vps ip? And must the requests bypass nginx first?
另一个问题是保护我的网站;重要的请求和响应标头显示在浏览器的网络"标签中-如授权JWT令牌",这是正常现象还是这存在一定的安全风险?
Another question is to protect my website; important request and response headers are showing in the browser network tab - like Authorization JWT token, is this normal or is this some security risk?
推荐答案
我认为这里对CORS有点困惑.
I think there's a bit of confusion here regarding CORS.
跨源资源共享不用于桌面客户端到服务器/或服务器到服务器的调用.从链接:
Cross Origin Resource Sharing is not used for desktop client to server / or server to server calls. From the link:
跨源资源共享(CORS)是一种使用以下机制的机制:额外的HTTP标头,告诉浏览器允许Web应用程序在一个来源(域)运行的用户有权访问所选内容来自不同来源的服务器的资源.Web应用程序使跨域HTTP请求,当它请求具有以下内容的资源时:来源(域,协议和端口)与其来源不同.
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.
因此,这是另一个服务器上的Web应用程序,它的实际功能由浏览器实现.
So it's a web application to another server thing and it's actual functionality is implemented by browsers.
-
这正常吗?是的.这意味着使用Postman的人员可以向您的服务器发出请求,并且您有责任确保自己免受此类攻击.浏览器会做的是,他们将查看允许您从中调用服务器的域,如果该域是尝试访问资源的其他域,则它们将阻止该服务器.设置可访问您资源的域列表是您/服务器的责任,但强制执行该策略是浏览器的责任. Postman不是浏览器,因此不一定实现此功能(并且不必).
Is this normal? Yes it is. This means that people who are using Postman can make requests to your server and it's your responsibility to ensure that you're protected against stuff like that. What browsers would do is they would take a look at what domains you allow your server to be called from and if it is a different domain trying to access the resource they will block it. Setting the list of domains that can access to your resources is your / your server's responsibility, but enforcing that policy is the browser's responsibility. Postman is not a browser, so it doesn't necessarily implement this feature (and it doesn't have to).
如果要显示/泄漏标头中的令牌(在与登录之前或经过身份验证的设备不同的设备中)-这是一个严重的安全问题.如果它是在您登录的设备上发生的,并且仅在登录后才发生,则可以预期.这是假设您没有以其他任何方式泄漏信息并正确设计/实现了该信息.
If you are showing/leaking the tokens in the headers (in a different device than what you have authenticated with or before signing in) - that's a serious security problem. If it's happening on the device that you've signed-in and only after you signing in, then it's expected. This is assuming that you don't leak the information in any other way and designed / implemented it correctly.
对于您所担心的事情,有预防机制.而且,您可能会在没有注意到的情况下使用这样的服务,您的托管/云部署提供商可能与另一家公司/工具具有实施或协议,因此您可能已受到保护.最好检查一下!
There are prevention mechanisms to what you're worried about. And you might be on a service like that without even noticing it, your hosting / cloud deployment provider might have either an implementation or an agreement with another company / tool so you might be already protected. Best to check!
这些
是出现在快速搜索中的第一个付费服务,我敢肯定还有更多服务.还有一些简单的实现将提供一些保护:
are the first paid services to appear on a quick search, I'm sure there are more. There are also simple implementations which will offer some protection:
这篇关于如何防止非浏览器客户端将请求发送到我的服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
