jwt:为什么我的令牌会显示在 Chrome DevTools 中? [英] jwt: Why is my token shown in Chrome DevTools?

问题描述

我在 Express.js 中有一个 API，它将创建博客文章并将它们添加到我的数据库中.当我从 DevTools 中的 React 应用程序发出请求时，它会显示我的 JWT.我担心当我的网站上线时，人们会看到我的令牌并从他们的网站发出请求以添加不需要的帖子.请告诉我发生了什么以及如何防止出现安全错误.

I have a API in Express.js that will create blog posts and add them to my database. When I make a request from my React app inside of DevTools it will show my JWT. I am worried that when my site goes live people can see my token and make a request from their site to add unwanted posts. Please tell me what is going on and how I can prevent the security error.

推荐答案

当您发送带有令牌的请求时，在开发者工具的标题窗格中会如下所示:

When you send a request with a token in the header it will look like this in the header pane in Developer Tools:

我想这就是你想知道的是否安全.

I assume that's what you are wondering whether is safe or not.

当您使用普通 HTTP 时，React 应用程序和 API 之间的连接是未加密的.这使得 重放攻击 成为可能——前端和 API 之间的 ISP 或其他服务器可以读取令牌并稍后使用读取令牌假装是您.

The connection between the React app and the API is unencrypted when you are using ordinary HTTP. That makes a replay attack possible – an ISP or another server between the front-end and the API can read the token and pretend to be you later on with the read token.

最重要的解决方案是使用 HTTPS，它是加密的 HTTP.当您使用 HTTPS 时，潜在的攻击者无法嗅探和窃取令牌.在处理用户名、密码等时，应始终使用 HTTPS.

The most important solution to that is to use HTTPS, which is encrypted HTTP. Potential attackers are unable to sniff and steal the tokens when you are using HTTPS. When you are dealing with usernames, passwords, etc., you should always use HTTPS.

HTTPS 可以免费使用，而且设置起来并不难.请参阅此处了解更多详情.还有一个有趣的讨论这里你可能想看.

HTTPS is free to use and not very hard to set up. See here for more details. There is also an interesting discussion here that you might want to read.

这篇关于jwt:为什么我的令牌会显示在 Chrome DevTools 中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！