JavaScript全局变量-保护 [英] javascript global variables - protection

问题描述

我正在基于Html/Javascript的Web应用程序上使用一些全局变量.我在页面(或其中的一部分)中使用这些变量，有时将它们用作ajax调用的发布数据.我的问题是:这有多安全?当然，我可以为这些变量设置不同的值(例如，使用控制台)，然后进行依赖此var的调用.想象一下，用户设置了一些与自己甚至无法访问的内容相对应的ID.

I am using some global variables on a web application, built on Html/Javascript. I am using these variables across pages (or portions of them), and sometimes they are used as post data for ajax calls. My question is: how secure is this? surely i can set different values for these variables (using a console for example) and then, the calls that rely on this var are made. Imagine the user sets some Id that corresponds to something that he even doesn't have access to..

这应该怎么做?

预先感谢

推荐答案

从安全的角度来看，这与任何Web应用程序没有什么不同.

There is nothing different about this from any web application, from a point of view of security.

从浏览器发送的任何内容都必须视为服务器不信任.这包括URL参数，表单发布数据，Cookie，http标头以及任何由javascript控制的内容.所有这些项目都可以被攻击者操纵.

Anything sent from the browser must be treated as untrusted by the server. This includes URL parameters, form post data, cookies, http headers and anything controlled by javascript. All these items can be manipulated by an attacker.

从本质上讲，客户端中的值无关紧要，当它们以新的HTTP请求(包括XHR)的形式到达您的服务器时，您只需要担心它们.在此之前，具有错误值的变量不会造成任何损害.

Essentially, it doesn't matter what the values are in the client, you only need to worry about them when they hit your server in the form of a new HTTP request (this includes XHR). Until that point, variables with bad values can't do any damage.

确保您的服务器可以正确验证当前用户，并仅允许他们访问他们有权执行的数据和操作.确保检查从浏览器收到的所有数据是否正确(如果已知)或数据类型正确且在预期的限制内，如果不正确，则拒绝该数据并中止该操作.

Ensure your server can correctly authenticate the current user and only allow them access to data and actions that they are authorised to perform. Ensure that all data received from the browser is checked to be correct (if known) or of the correct datatype and within expected limits, rejecting the data and aborting the action if it is not.

这篇关于JavaScript全局变量-保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！