1. 技术文章
  2. Secure ajax GET/POST request for server

Secure ajax GET/POST request for server

不问归期 提交于 2019-12-12 12:43:19

问题


suppose I work with some kind of API and my file server.php handles the connection to the API service. on my client side I use AJAX call like this:

$http({
         url : 'server/server.php',
         method : 'GET',
         data : { getContent : true }
     });

in my server.php I handle it like this: 

if(isset($_GET['getContent'])){
    $content = get_content();
}

function get_content(){...}

i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data? how can i secure it and make sure only calls from my application will get the relevant data back?

thank you!


回答1:


I guess you are concerned about CSRF attacks. Read more about this here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

One of the mostly used option to secure your request will be: - Generate a token and send it with the request for a session. This token can be identified by your WebServer as originating from a specific client for a specific session




回答2:


i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data?

Nothing. This URL is public thus anyone can make requests to it.

how can i secure it and make sure only calls from my application will get the relevant data back?

You can pass additional data (for example, some hashed value) that is verified on the server side.

$http({
     url : 'server/server.php',
     method : 'GET',
     data : { getContent : true, hash : '0800fc577294c34e0b28ad2839435945' }
 });

and

if(isset($_GET['getContent']))
{
    if(isset($_GET['hash']) && validateHash($_GET['hash']))
    {
        $content = get_content();
    }
}

function get_content(){...}



回答3:


i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data?

The same way you would protect the data in any other request (e.g. with user authentication). There's nothing special about Ajax in regards to HTTP as far as the server is concerned.

how can i secure it and make sure only calls from my application will get the relevant data back?

You can't. The user can always inspect what their browser is asking the server for and replicate it.

Generally, people authenticate users rather than applications.



来源:https://stackoverflow.com/questions/29883223/secure-ajax-get-post-request-for-server

标签
javascript
php
jquery
ajax
get
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!