确保服务器的ajax GET / POST请求 [英] Secure ajax GET/POST request for server
问题描述
假设我使用某种API,并且我的文件 server.php 处理与API服务的连接。在我的客户端,我使用AJAX调用,如下所示:
$ http({
url:'server / server。 php',
方法:'GET',
data:{getContent:true}
});
在我的server.php中,我是这样处理的:
if(isset($ _ GET ['getContent'])){
$ content = get_content();
函数get_content(){...}
我只是想知道是什么阻止任何人使用相同的getContent参数发送AJAX调用并获取我的所有数据?我怎样才能保护它,并确保只有来自我的应用程序的调用才能得到相关数据?
谢谢!
我想你担心CSRF攻击。请点击此处阅读更多信息: https://www.owasp.org/index .bp / Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
保护您的请求最常用的选项之一是:
- 生成令牌并将其发送给会话请求。您的Web服务器可将此令牌标识为源自特定客户端的特定会话
suppose I work with some kind of API and my file server.php handles the connection to the API service. on my client side I use AJAX call like this:
$http({
url : 'server/server.php',
method : 'GET',
data : { getContent : true }
});
in my server.php I handle it like this:
if(isset($_GET['getContent'])){
$content = get_content();
}
function get_content(){...}
i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data? how can i secure it and make sure only calls from my application will get the relevant data back?
thank you!
I guess you are concerned about CSRF attacks. Read more about this here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
One of the mostly used option to secure your request will be: - Generate a token and send it with the request for a session. This token can be identified by your WebServer as originating from a specific client for a specific session
这篇关于确保服务器的ajax GET / POST请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!