NodeJS / express - 公共API端点的安全性 [英] NodeJS/express - security for public API endpoint

问题描述

我正在基于NodeJs / Express开发我的网站项目，对于某些UI部分，我使用Jquery ajax请求来获取辅助数据。

I'm developing my web-site project based on NodeJs/Express, and for some UI parts I'm using Jquery ajax request to fetch secondary data.

我们如何处理由浏览器用于ajax调用的Rest API端点的一些基本控件？
我正在考虑某种令牌授权，但一旦被截获，它也可以被其他客户端（脚本等）使用，那么我们如何保护我们的服务器免受不必要的请求呢？在这种情况下应该使用什么其他控件（从同一个客户端识别太多的请求，客户端黑名单等）？

How can we handle some basic control on our Rest API end-points that are used for ajax calls by the browser? I was thinking about some kind of token authorization , but it can be also used by other clients (scripts etc.) once it has been intercepted , so how can we protect our server from unwanted requests? What other controls should be used in this cases (recognize too many request from same client, clients black list,etc)?

推荐答案

有三个主要的认证，授权，安全。我会给出链接，只是很短的答案。主题足够大写几本书。

There are three main topics Authentication, Authorization, Security. I will give links and only shortly answers. Subject is enough big to write few books.

验证 - 谁是正在请求的人。认证用户有很多策略。请检查大多数学校模块： http://passportjs.org/docs 。

Authentication - who is the one who is making request. There are many 'strategies' to authentication user. Please check most pupular module for this : http://passportjs.org/docs.

当然，您可以单独实施一个或多个策略。

Of course you can inplement one or more of this strategies alone.

对于无状态身份验证，jwt令牌非常方便。如果你想自己编写代码（Passport有这个策略），请检查这个链接（Web中的一个） https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens 。

For stateless authentication jwt tokens are very convenient. If you want to code it yourself (Passport has this strategy) check this link (one of many in web) https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens.

如何防止令牌拦截？始终使用https并设置令牌到期时间。

How to prevent from token interception? Use always https and set token expiration time short.

在哪里存储您的令牌客户端？详情请看这个 https：/ /stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ 简而言之，不要因为XSS攻击而存储在网络存储中。使用cookies，当它们被正确配置时，它们是安全的（更多附加链接），如果没有配置，他们非常容易受到威胁。

Where to store your token client side? for detail look at this https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ In short don't store in web storage because of XSS attacks. Use cookies, when they are correctly configured they are safe (more in attached link), if not configured they are very exposed to threats.

授权：我们知道用户，但是他只能访问一些资源。请检查 https://github.com/OptimalBits/node_acl
有一个node_acl和护照： https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2
简而言之护照验证用户。我们现在谁想要什么我们设置角色和资源，并定义角色和资源关系。然后我们为每个用户设置角色。

Authorization : we know user, but he has access only to some resources. Please check https://github.com/OptimalBits/node_acl There is gist with node_acl and passport : https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2 In short passport authenticate user. We now who want what. We setup roles and resources and define roles and resources relation. Then we set for each user roles. Module will check for us user permission.

安全性：请在sails框架的文档中查找此主题 http://sailsjs.org/documentation/concepts/security 他们描述了攻击以及框架如何防止形成。我写关于快递：

Security: please look for this subject in documentation of sails framework http://sailsjs.org/documentation/concepts/security they describes attacks and how framework prevent form them. I write about express:

DDOS：（您的问题的一部分来自同一客户端的请求太多）在API层，没有太多可以做好预防的方式。这对于服务器管理员来说最为重要。在短时间内使用负载平衡器。如果是一个IP（而不是数百个），则列出黑名单或拒绝应答（开始查看此 https：/ /www.npmjs.com/package/delayed-request ，但是我的解决方案必须更复杂）。

DDOS: (part of your question "too many request from same client") "At the API layer, there isn't much that can be done in the way of prevention". This is subject most for servers admins. In short use load balancer. If it is one IP (not hundreds) then blacklist or deley response (for start look at this https://www.npmjs.com/package/delayed-request but I thing that solution must be more sophisticated).

CSRF：攻击类型最终用户在Web应用程序后端执行不必要的操作。看看这个模块 https://www.npmjs.com/package/csrf

CSRF: "type of attack which forces an end user to execute unwanted actions on a web application backend". Look at this module https://www.npmjs.com/package/csrf

XSS：恶意代理程序将客户端JavaScript注入您的网站的攻击类型不信任用户的任何数据。始终验证，过滤，santize。看看这个 https://www.npmjs.com/package/xss

XSS: "type of attack in which a malicious agent manages to inject client-side JavaScript into your website" don't trust any data from user. Always validate, filter, santize. Look at this https://www.npmjs.com/package/xss

在风帆的文件中，有更多的攻击类型，但上面是最受欢迎的。

In documentation of sails, there is more attack types but above are most popular.

这篇关于NodeJS / express - 公共API端点的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！