在 Javascript 客户端中隐藏基本身份验证凭据 [英] Hide basic auth credentials in Javascript client

查看:35
本文介绍了在 Javascript 客户端中隐藏基本身份验证凭据的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要从我的客户端 javascript 代码创建一个 ajax 请求,使用 jQuery 将一些数据发布到后端.

I need to make from my client side javascript code an ajax request posting some data to the backend with jQuery.

$.ajax({...});

Javascript 代码可以被各种客户端嵌入,所以我在我的后端启用了 CORS 并且请求正常.后端由 Basic Auth 保护,并且 auth 标头存储在 javascript 客户端中.

The Javascript code can be embedded by various client so I enabled CORS on my backend and the requests go fine. The backend is protected by an Basic Auth and the auth header is stored in the javascript client.

我如何保护我的后端,以便只有我的客户可以发布数据并防止任何其他人这样做.

How can I protect my backend so only my client can post data and prevent any other people from doing this.

推荐答案

您不能在 JavaScript 中存储机密.您无法保留用户名和密码,至少用户无法访问它们(F12 调试工具).即使使用 JavaScript 加密,您仍然需要存储客户端上某处容易被发现的密钥.

You can't store secrets in JavaScript. There's no way you can hold on to a username and password without at least the user being able to get to them (F12 debugging tools). Even if were to use JavaScript encryption, you'd still need to store the secret key somewhere on the client where it can easily be discovered.

即使您信任该用户,XSS 攻击也可能会泄露此用户名并攻击者的密码信息.

And even if you trust the user, XSS attacks may leak this username and password info to an attacker.

这就是 OAuth 2.0 在隐式授权 与公共客户打交道.

That's why OAuth 2.0 uses short lived access tokens in an implicit grant to deal with public clients.

这篇关于在 Javascript 客户端中隐藏基本身份验证凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆