NodeJS / EX preSS - 安全性公共API endopoint [英] NodeJS /express - security for public API endopoint
问题描述
我发展我的网站项目的基础上NodeJs / EX preSS,并为一些UI部分我使用jQuery Ajax请求来获取辅助数据。
I'm developing my web-site project based on NodeJs/Express, and for some UI parts I'm using Jquery ajax request to fetch secondary data.
我们如何可以处理用于通过浏览器的Ajax调用我们的REST API端点的一些基本控制? 我在想某种象征授权,但它也可以用于其他客户端(脚本等),一旦被截获,因此,我们如何保护我们的服务器免受不必要的请求?其他什么控件应该用在这种情况下,(识别来自同一个客户端,客户端黑名单,等等太多的要求)?
How can we handle some basic control on our Rest API end-points that are used for ajax calls by the browser? I was thinking about some kind of token authorization , but it can be also used by other clients (scripts etc.) once it has been intercepted , so how can we protect our server from unwanted requests? What other controls should be used in this cases (recognize too many request from same client, clients black list,etc)?
推荐答案
有三大主题验证,授权,安全。我给的链接,只有短期的答案。主题是大到足以写几本书。
There are three main topics Authentication, Authorization, Security. I will give links and only shortly answers. Subject is enough big to write few books.
认证 - 谁是谁正在请求之一。有许多策略来认证用户。请检查这个最pupular模块: http://passportjs.org/docs 。
Authentication - who is the one who is making request. There are many 'strategies' to authentication user. Please check most pupular module for this : http://passportjs.org/docs.
当然,你可以inplement一个独此策略或更多。
Of course you can inplement one or more of this strategies alone.
有关无国籍身份验证令牌智威汤逊是非常方便的。如果你想$ C C它自己(护照有这种战略)检查此链接(许多网站之一)的 https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens 。
For stateless authentication jwt tokens are very convenient. If you want to code it yourself (Passport has this strategy) check this link (one of many in web) https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens.
如何起价令牌拦截p $ pvent?始终使用HTTPS和设置令牌到期时间短。
How to prevent from token interception? Use always https and set token expiration time short.
在哪里存储您的令牌客户端?查看详细看看这个的https:/ /stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ 总之不要存储在网络存储,因为XSS攻击。使用Cookie,当它们被正确配置,它们是安全的(更多的附加链接),如果未配置他们都非常受到威胁。
Where to store your token client side? for detail look at this https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ In short don't store in web storage because of XSS attacks. Use cookies, when they are correctly configured they are safe (more in attached link), if not configured they are very exposed to threats.
授权:我们知道用户,但他只能访问某些资源。请 https://github.com/OptimalBits/node_acl 有依据与node_acl和护照: https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2 总之护照验证用户。我们现在谁想要什么。我们设置角色和资源,并定义角色和资源的关系。然后我们为每个用户角色。模块将检查对我们用户权限。
Authorization : we know user, but he has access only to some resources. Please check https://github.com/OptimalBits/node_acl There is gist with node_acl and passport : https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2 In short passport authenticate user. We now who want what. We setup roles and resources and define roles and resources relation. Then we set for each user roles. Module will check for us user permission.
安全:请认准的帆文档这一主题框架 http://sailsjs.org/documentation/概念/安全他们描述的攻击,以及如何框架prevent形成它们。我写的EX preSS:
Security: please look for this subject in documentation of sails framework http://sailsjs.org/documentation/concepts/security they describes attacks and how framework prevent form them. I write about express:
DDOS:(您的问题太多请求从同一客户机的一部分)在API层,没有太多,可以在prevention的方式来完成。这是服务器管理员受到最。总之使用负载平衡器。如果它是一个IP(不是数百个),则黑名单或deley响应(用于开始看这的https:/ /www.npmjs.com/package/delayed-request 但我的事情,解决方案必须更加复杂)。
DDOS: (part of your question "too many request from same client") "At the API layer, there isn't much that can be done in the way of prevention". This is subject most for servers admins. In short use load balancer. If it is one IP (not hundreds) then blacklist or deley response (for start look at this https://www.npmjs.com/package/delayed-request but I thing that solution must be more sophisticated).
CSRF:攻击迫使最终用户在Web应用程序的后台执行不必要的行动类型。看看这个模块 https://www.npmjs.com/package/csrf
CSRF: "type of attack which forces an end user to execute unwanted actions on a web application backend". Look at this module https://www.npmjs.com/package/csrf
XSS:类型的攻击中,恶意代理管理注入客户端JavaScript到您的网站不会从用户的信任的任何数据。始终验证,过滤,santize。看看这个 https://www.npmjs.com/package/xss
XSS: "type of attack in which a malicious agent manages to inject client-side JavaScript into your website" don't trust any data from user. Always validate, filter, santize. Look at this https://www.npmjs.com/package/xss
在帆的文档,还有更多的攻击类型,但以上是最流行的。
In documentation of sails, there is more attack types but above are most popular.
这篇关于NodeJS / EX preSS - 安全性公共API endopoint的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
