当前位置: 动力学知识库 > 问答 > 编程问答 >

javascript - How to ensure the security of APIs which is open to front-end and other servers?

问题描述:

I am building a website. This site's front-end page needs to get/post data via AJAX from/to server, and the server provides the same APIs to other apps(private apps, not public, under the same 1st class domain).

For example, POST /api/users is used to create a new user. The site will provide a register page, which will use this API to register user(via AJAX). I want the other apps to also be able to use this API to register user.

In general, I use hashed string to authenticate the request from other apps. But I don't think that I can do the same thing for the front page.

I don't want to use two different APIs for front page and other apps separately. So how can I do this?

I am using Node.js and Express.

网友答案:

I recommend using a combination of APIs. Login a user or creating a user should return a Session token. Then, every subsequent request should include that token. The other APIs on your server, should not allow requests without a user session token. So, when a requests comes in to eg: /app/data, the server looks up the session token (usually sent in a header) to verify the user exists and is logged in.

This typically works in a mobile app with website scenario because users will have to register via the website. Therefore, the registration API is restricted to the website by way of disallowing CORS for the registration API, but allowing CORS for all other APIs in your server. As long as they look up the Session token to verify it is valid, then I don't think there are too many security risks there.

A more advanced and secure approach would be to secure the API with OAuth 2. Since you own the server, it would be quite easy to register user via an OAuth 2 handshake from both website and mobile app.

分享给朋友:
您可能感兴趣的文章:
随机阅读: