你如何安全地访问Windows Azure的移动服务使用Javascript的web应用程序？ [英] How do you securely access Windows Azure Mobile Services with Javascript in a web app?

问题描述

我需要一个底漆网/ JavaScript安全。

I need a primer web/javascript security.

据的如何使用HTML / JavaScript客户端为Windows Azure移动服务，在JavaScript在客户端，包括 MobileServices.Web-1.0.0.min.js链接你应该创建一个客户是这样的：

According to How to use an HTML/JavaScript client for Windows Azure Mobile Services, in javascript on the client side, after including a link to MobileServices.Web-1.0.0.min.js you're supposed to create a client like this:

var MobileServiceClient = WindowsAzure.MobileServiceClient;
var client = new MobileServiceClient('AppUrl', 'AppKey');

这意味着，包括我的页面上的JavaScript的AppKey。我应该担心的AppKey公职？

which means including my AppKey in the javascript on the page. Should I be worried about the AppKey being public?

此外，它似乎很容易有人在把一个XHR断点阅读 X-谟 - 应用和 X-谟-AUTH 头，而在登录时作出REST调用，这样做的用处是有点与跨起源资源共​​享白名单减少了，但什么是从添加JavaScript页​​面并执行任意使用这些信息来阻止别人在我的后台数据库操作？限制表的权限身份验证的用户将不会在这种情况下提供帮助。

Also, it seems easy enough for someone to put an XHR breakpoint in to read the X-ZUMO-APPLICATION and X-ZUMO-AUTH headers while making a REST call when logged in. The usefulness of this is somewhat reduced with a cross-origin resource sharing whitelist, but what's to stop someone with this information from adding javascript to the page and executing arbitrary operations on my backend database? Restricting table permissions to authenticated users wouldn't help in this scenario.

我需要关注？什么是银行应用程序做一下这样的事情？

Do I need to be concerned? What do banking apps do about this sort of thing?

推荐答案

在相同的链接你共享，应用程序键被定义为一个没有安全机制来验证用户身份 - 由移动服务生成的唯一值，散发着您的应用程序和$ p $客户端生成的请求psented。虽然限制从随机客户移动服务的访问是有用的，这关键是不安全的，不应该被用于验证您的应用程序的用户。的

In the same link which you shared, application key is defined as a not safe mechanism to authenticate users - A unique value that is generated by Mobile Services, distributed with your app, and presented in client-generated requests. While useful for limiting access to your mobile service from random clients, this key is not secure and should not be used to authenticate users of your app.

更多的时候，你的所有端点使一些认证过或者使用ACS或通过开放式认证，如果你主要ASP.Net/PHP等网站得到授权，那么浏览器会通过cookie来处理身份联合会下一个导通要调用，直到你的会话结束。

More over when you enable some authentication on all the endpoints either using ACS or through Open Authentication, if you main ASP.Net/PHP etc page got authorized, then browser is going to handle federation of identity through cookies for next on-going calls till your session ends.

在大多数应用中具有HTTPS会保护男性在中间人攻击。同样在饼干强大的加密逻辑非常具体的到期时间以及会增加安全的吧。也是基于IP地址的检查将在提高安全性有一定帮助。

In most of the applications having HTTPS would protect from Man in middle attacks. Also strong encryption logic on cookies along with very specific expiry times would increase the bar of security. Also IP address based checks would definitely help in improving security.

这篇关于你如何安全地访问Windows Azure的移动服务使用Javascript的web应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！