保护 Express API [英] Securing Express API
问题描述
我正在编写一个具有独立前端和后端的网络应用程序.前端是用 React 编写的,后端是运行 Express 端点的 node.js 服务器.我如何确保只有我的前端可以访问 API,而不能访问其他任何人?我的 API URL 在我的前端客户端代码中公开,所以任何人都可以看到.
I'm writing a web app with a separate frontend and backend. The frontend is written in React, and the backend is a node.js server running an Express endpoint. How do I ensure that only my frontend can access the API, and not anyone else? My API URL is exposed in my frontend client side code, so anyone can see that.
我在我的 API 中添加了 JWT 身份验证,但我仍然需要一个不受保护的/login 端点来生成 JWT 令牌,并且为了登录以生成令牌,我必须从我的前端,其他用户可以看到,因为它是从客户端完成的.
I added JWT authentication to my API, but I still need to have an unprotected /login endpoint in order to generate the JWT token, and in order to login to generate the token, I must post both a username and password from my frontend, which other users can see, since it's done from the client side.
保护托管在像这样的单独后端上的 API 的正确方法是什么,以便只有我的前端可以访问它,而没有人可以看到正在使用哪些凭据来访问端点?
What is the proper way of securing an API that is hosted on a separate backend like this, so that only my frontend can access it, in a way where nobody can see what credentials are being used to access the endpoint?
推荐答案
你不能.您的 API 在互联网上.任何人都可以访问它.在允许访问 API 之前,您可以要求该帐户的帐户和登录凭据,但是一旦有人拥有帐户和凭据,他们就可以从自己的脚本而不是通过您的网页访问 API.这就是网络的运作方式.你对此无能为力.客户端使用的凭据无法隐藏.客户端上的所有数据都可以被客户端上的黑客查看.这就是网络的方式.
You can't. Your API is on the internet. Anyone can access it. You can require an account and login credentials for the account before allowing access to the API, but once someone has an account and credentials, they can access the API from their own script rather than via your web page. This is how the web works. Not much you can do about it. And credentials being used by the client cannot be hidden. All data that is EVER on the client can be looked at by a hacker on the client. This is the way of the web.
较大的公司通常会监控他们的 API 使用情况以寻找不当使用.这包括速率限制、检测非普通人类用户典型的行为和序列.当他们检测到不当使用时,他们通常会暂时或永久禁用该操作或禁止违规帐户.这也是为什么一些页面使用技术来检测是否是真实的人单独引发了诸如 reCaptcha 之类的操作.例如,在堆栈溢出时,在编辑评论或帖子时,我经常遇到速率限制,它告诉我必须等待一段时间才能接受我的编辑.
Larger companies will typically monitor their API usage to look for inappropriate use. This includes rate limiting, detecting behaviors and sequences that are not typical of a regular human user. When they detect inappropriate use, they will often disable that action or ban the offending account, either temporarily or permanently. This is also why some pages use techniques to detect if an actual human is individually causing the operation such as reCaptcha. For example, on stack overflow, when editing comments or posts, I often run into rate limiting where it tells me that I have to wait a bit before it will accept my edit.
没有绝对安全的方式在客户端中存储凭据.最常见的凭证方案是要求用户名和密码(通过 https 安全),然后当服务器接受它作为合法凭证时,向客户端发出某种令牌,可用于未来的 API 调用.该令牌可能位于 cookie 中,也可能需要手动包含在每个后续 API 调用中(使用来自浏览器的 API 时,cookie 的优点是 cookie 会随每个后续请求自动发送).
There is no absolutely secure way to store credentials in a client. The most common scheme for credentials is to require username and password (securely over https) and then when that is accepted on the server as legit credentials, some sort of token is issued to the client which can be used for future API calls. That token may be in a cookie or may need to be manually included with each subsequent API call (the advantage of a cookie when using APIs from a browser is that the cookie is automatically sent with each subsequent request).
如果令牌是 cookie,则 cookie 存储在浏览器的 cookie 存储中,并且可以为其设置过期时间.浏览器的 cookie 存储受到保护,不会被其他站点的网页访问,但可以被本地计算机上的某个人访问(它存储在文件系统中).
If the token is a cookie, then the cookie is stored in the browser's cookie storage and an expiration can be set for it. The browser's cookie storage is protected from access by web pages from other sites, but can be accessed by someone on the local computer (it's stored in the file system).
如果令牌不是 cookie,只是作为令牌返回,并且客户端希望存储它,那么 Javascript 还提供其他一些地方来存储它.本地存储具有与 cookie 存储类似的安全性.它受到其他网站的访问保护,但可以被本地计算机上的人访问.
If the token is not a cookie, just returned as a token, and the client wishes to store it, there are a few other places that Javascript provides access to in order to store it. Local storage has similar security as cookie storage. It is protected from access by other web sites, but can be accessed by a person on the local computer.
这篇关于保护 Express API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
