如何在 Django Rest Framework 中保护用于注册和登录的 API? [英] How to secure APIs for Registration and Login in Django Rest Framework?

问题描述

我曾经和现在几乎每个 Django Framework 用户都使用 Django Rest Framework 来创建 REST API.我将它与使用 django-rest-framework-jwt 和它的令牌认证一起使用当用户通过我们的 rest API 登录时返回令牌.

I have been and nowadays may be almost every Django Framework users using Django Rest Framework for creating REST APIs. I am using it with token authentication using django-rest-framework-jwt and it returns the token when User logged in through our rest API.

所以问题是如何保护我们 API 端点的任何注册或登录视图.任何高级 XSS 脚本都可能有用于创建注册的恶意循环.我们如何在 Django Rest Framework 中保护它?

So the question is how to secure any registration or login views for our API endpoints.Any high-level XSS scripts can have malicious looping for creating registrations.How can we secure it in Django Rest Framework ?

推荐答案

正如您所说，您不能拥有像 JWT 这样的身份验证系统来保护您的页面，例如登录和注册.但是，您还可以做许多其他事情.下面我简单地提到了其中的两个，以帮助您入门，休息您可以详细学习.

As you have stated, you cannot have an authentication system like JWT protect your pages like login and registration. However there are many other things you can do. Below I have mentioned two of them briefly to get you started and rest you can study in detail.

• 首先解决 XSS 问题 -

某些浏览器能够阻止似乎是 XSS 攻击的内容.它们通过在页面的 GET 或 POST 参数中查找 JavaScript 内容来工作.如果 JavaScript 在服务器的响应中被重放，页面将被阻止呈现并显示错误页面.X-XSS-Protection 头用于控制 XSS 过滤器的操作.

Some browsers have the ability to block content that appears to be an XSS attack. They work by looking for JavaScript content in the GET or POST parameters of a page. If the JavaScript is replayed in the server’s response, the page is blocked from rendering and an error page is shown instead. The X-XSS-Protection header is used to control the operation of the XSS filter.

实施

Django 提供在 settings>base.py 中添加的中间件和设置中间件:

Django provides middleware and settings added in settings>base.py Middleware:

django.middleware.security.SecurityMiddleware

设置:

SECURE_BROWSER_XSS_FILTER = True
This sets header to X-XSS-Protection: 1; mode=block

为了防止某些脚本重复访问您的登录或注册页面，您可以采取的其他措施是 -

Other things you can do to prevent some script from hitting your login or registration pages repeatedly is -

• 蛮力攻击

安全问题

自动化程序可能会攻击以破解用户的用户名和密码或降低服务器速度.

An automated programme may attack to hack username and password of a user or to slow down the server.

这些攻击通常采用以下几种形式之一:1. 一个 IP 地址尝试一个用户名和多个密码.2. 许多 IP 地址尝试使用一个用户名和多个密码.3. 一个IP地址尝试多个用户名和几个常用密码.4. 许多 IP 地址使用一个或几个常用密码尝试多个用户名.5. 攻击域内任意随机url，降低服务器响应速度.

These attacks generally take one of a few forms: 1. One IP address trying one username with many passwords. 2. Many IP addresses trying one username with many passwords. 3. One IP address trying many usernames with a few common passwords. 4. Many IP addresses trying many usernames with one or a few common passwords. 5. Attacking on any random url on domain to slow down the server response.

实施

Django Rest Framework 提供内置的节流设置

Django Rest Framework provides inbuilt settings for throttling

REST_FRAMEWORK = {
    ...
    'DEFAULT_THROTTLE_CLASSES': (
        'rest_framework.throttling.AnonRateThrottle',
        'rest_framework.throttling.UserRateThrottle',
        'rest_framework.throttling.ScopedRateThrottle',
    ),
    'DEFAULT_THROTTLE_RATES': {
        'anon': '60/minute',
        'app1': '10000/day',
        'app2': '10000/day',
    },
    ...
}

另一种解决方案是 django-defender 或 django-ratelimit，用于仅防止失败的登录尝试.

Another solution is django-defender or django-ratelimit for preventing only for failed login attempts.

希望有帮助.

这篇关于如何在 Django Rest Framework 中保护用于注册和登录的 API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！