NodeJS/express - 公共 API 端点的安全性 [英] NodeJS/express - security for public API endpoint

问题描述

我正在开发基于 NodeJs/Express 的网站项目，对于某些 UI 部分，我使用 Jquery ajax 请求来获取辅助数据.

I'm developing my web-site project based on NodeJs/Express, and for some UI parts I'm using Jquery ajax request to fetch secondary data.

我们如何处理浏览器用于 ajax 调用的 Rest API 端点的一些基本控制?我正在考虑某种令牌授权，但是一旦它被拦截，它也可以被其他客户端(脚本等)使用，那么我们如何保护我们的服务器免受不需要的请求?在这种情况下应该使用哪些其他控件(识别来自同一客户端、客户端黑名单等的太多请求)?

How can we handle some basic control on our Rest API end-points that are used for ajax calls by the browser? I was thinking about some kind of token authorization , but it can be also used by other clients (scripts etc.) once it has been intercepted , so how can we protect our server from unwanted requests? What other controls should be used in this cases (recognize too many request from same client, clients black list,etc)?

推荐答案

共有三个主要主题:身份验证、授权、安全.我会给出链接，并且只会给出简短的答案.主题足够大，可以写几本书.

There are three main topics Authentication, Authorization, Security. I will give links and only shortly answers. Subject is enough big to write few books.

身份验证 - 谁是提出请求的人.认证用户有很多策略".请检查大多数 pupular 模块:http://passportjs.org/docs.

Authentication - who is the one who is making request. There are many 'strategies' to authentication user. Please check most pupular module for this : http://passportjs.org/docs.

当然，您可以单独实施一项或多项此类策略.

Of course you can inplement one or more of this strategies alone.

对于无状态认证，jwt 令牌非常方便.如果您想自己编写代码(Passport 有此策略)，请检查此链接(网络中的许多链接之一)https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens.

For stateless authentication jwt tokens are very convenient. If you want to code it yourself (Passport has this strategy) check this link (one of many in web) https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens.

如何防止令牌拦截?始终使用 https 并缩短令牌过期时间.

How to prevent from token interception? Use always https and set token expiration time short.

在哪里存储您的令牌客户端?有关详细信息，请查看此 https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ 总之不要因为 XSS 攻击而存储在网络存储中.使用 cookie，正确配置后它们是安全的(更多信息在附加链接中)，如果未配置，它们很容易受到威胁.

Where to store your token client side? for detail look at this https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ In short don't store in web storage because of XSS attacks. Use cookies, when they are correctly configured they are safe (more in attached link), if not configured they are very exposed to threats.

授权:我们知道用户，但他只能访问某些资源.请检查 https://github.com/OptimalBits/node_aclnode_acl 和护照有要点:https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2简而言之，护照验证用户.我们现在谁想要什么.我们设置角色和资源并定义角色和资源关系.然后我们为每个用户设置角色.模块会检查我们的用户权限.

Authorization : we know user, but he has access only to some resources. Please check https://github.com/OptimalBits/node_acl There is gist with node_acl and passport : https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2 In short passport authenticate user. We now who want what. We setup roles and resources and define roles and resources relation. Then we set for each user roles. Module will check for us user permission.

安全:请在sails框架的文档中寻找这个主题http://sailsjs.org/documentation/概念/安全 它们描述了攻击以及框架如何防止它们形成.我写的是快递:

Security: please look for this subject in documentation of sails framework http://sailsjs.org/documentation/concepts/security they describes attacks and how framework prevent form them. I write about express:

DDOS:(您的问题来自同一客户端的请求太多"的一部分)在 API 层，在预防方面没有什么可以做的".这是服务器管理员最关心的问题.简而言之，使用负载均衡器.如果它是一个 IP(不是数百个)，那么黑名单或延迟响应(首先查看此 https://www.npmjs.com/package/delayed-request 但我认为该解决方案必须更复杂).

DDOS: (part of your question "too many request from same client") "At the API layer, there isn't much that can be done in the way of prevention". This is subject most for servers admins. In short use load balancer. If it is one IP (not hundreds) then blacklist or deley response (for start look at this https://www.npmjs.com/package/delayed-request but I thing that solution must be more sophisticated).

CSRF:强制最终用户在 Web 应用程序后端执行不需要的操作的攻击类型".看看这个模块 https://www.npmjs.com/package/csrf

CSRF: "type of attack which forces an end user to execute unwanted actions on a web application backend". Look at this module https://www.npmjs.com/package/csrf

XSS:恶意代理设法将客户端 JavaScript 注入您网站的攻击类型"不信任来自用户的任何数据.始终验证、过滤、消毒.看看这个https://www.npmjs.com/package/xss

XSS: "type of attack in which a malicious agent manages to inject client-side JavaScript into your website" don't trust any data from user. Always validate, filter, santize. Look at this https://www.npmjs.com/package/xss

在风帆的文档中，有更多的攻击类型，但以上是最受欢迎的.

In documentation of sails, there is more attack types but above are most popular.

这篇关于NodeJS/express - 公共 API 端点的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！