隐藏表单输入字段被萤火虫访问的最佳方法? [英] Best way to hide a form input field from being accessed using firebug?
问题描述
我有一个张贴到外部API的表单。有一个名为customer_token的参数作为输入字段传递。它用于通过API进行身份验证,并为每个客户分配一个令牌。输入字段在Firefox的Firebug中可见(即使它是隐藏字段)。
我如何隐藏它?
选项
使用javascript,正如我原先想的那样
我认为在提交表单之前使用javascript在运行时创建该输入字段,并立即删除该字段将会工作,但该字段仍然会立即显示。所以,即使一个人不能手动获取它,恐怕一个爬虫或蜘蛛(我不知道确切的术语 - 但一些自动脚本)可能会得到客户令牌。有更好的解决方案吗?表单提交后,仍然显示相同的表单。
使用Ikke建议的一次性标记概念
我不确定它会如何工作?该API需要正确的客户令牌值来处理任何请求。因此,即使生成一次性令牌并返回,也必须发送带有客户令牌的请求。这样,任何人都可以看到我的客户令牌值,他们也可以发送请求来获取一次性令牌并使用它。那么它是如何解决这个问题的呢?
已解决
检查
谢谢,
Sandeepan
这是 not 可能。 Firebug只是在它的实际状态下读取DOM,所以即使它在稍后阶段被添加,它仍然可以被检索。
这种安全方式称为安全通过隐藏,是一种非安全性。您必须以另一种方式解决问题,例如让服务器执行请求。
您让用户将表单提交给服务器。然后使用 curl ,使用正确的用户代码拨打web服务。
I have a form which is posted to an external API. There is a parameter called customer_token which is passed as an input field. It is used for authentication by the API and every customer is assigned one token. The input field is visible in Firefox's Firebug (even though it is a hidden field).
How do I hide it?
Options Using javascript as I thought initially
I think using javascript to create that input field at the run time before submitting the form and immediately removing the field will work but still the field will appear momentarily. So, even if a person can't manually get it, I am afraid that a crawler or spider (I don't know the exact term - but some automated script) may get the customer token. Is there a better solution for this? After form submission, the same form remains displayed.
Using one-time token concept as suggested by Ikke
I am not sure how it will work? The API needs the correct customer token value to process any request. So, even to generate a one-time token and return, a request with the customer token has to be sent. This way anyone is able to see my customer token value and they can also send a request to get a one-time token and use it. So how does it solve the problem?
Resolved Check How to post form to my server and then to API, instead of posting directly(for security reasons)? Thanks, Sandeepan
This is not possible. Firebug just reads the DOM in it's actual state, so even if it's added in a later stage, it can still be retrieved.
This way of security is called Security through obscurity and is a kind of non-security. You would have to solve it another way, like letting the server do the request in stead.
You let the user submit the form to the server. Then with curl, you make the call to the webservice with the correct user code.
这篇关于隐藏表单输入字段被萤火虫访问的最佳方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
