简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
Home > Backend Development > PHP Tutorial > body text

javascript - How to do security verification in ajax API?

WBOY
Release: 2016-08-08 09:06:48
Original
1546 people have browsed it

In the web, when using Ajax to call API, how to do security verification to prevent other websites from calling it?

How to solve the interface security problem if it is an APP call? And how can the API not be exposed to the public network? As long as your APP can be called, doesn't it count as being exposed to the public Internet?

Reply content:

In the web, when using Ajax to call API, how to do security verification to prevent other websites from calling it?

How to solve the interface security problem if it is an APP call? And how can the API not be exposed to the public network? As long as your APP can be called, doesn't it count as being exposed to the public Internet?

Ajax cannot solve the problem across domains. Cross-domain simulation requests can be sent through the server to obtain ajax data

There are two methods, but they are basically similar, one is the request header, and the other is to add the input token to the page. But the main problem in these two methods is to encrypt the token
For example, token = md5(IP + random number + timestamp + UID + session_secret) In fact, you can just define the content yourself, mainly encryption

Put the encrypted content into the session, and set the expiration time for the session

1. If you want to request the header

Add the access_token request header, obtain the content of the request header in the background, and then compare it with the value in the session. If it is tried, it will prove that there is no problem, and then the session will be invalid.

2. It is similar to the request header, but the encrypted value is placed in the input hidden. When submitting ajax, this value is obtained and placed in the parameter.

Answer your questions on the app behind you

To access the APP, it must be on the public network. Our current security solution is parameter encryption

For example, if you want to submit a=1&n=2

Then the parameters must be encrypted when actually submitting, mid=xxx&a=1&b=2&sign=md5(' mid=xxx&a=1&b=2'+key)

mid represents an account for the client to call the interface, and the account corresponds to a key

The server must check whether the submitted parameters are correct every time, which is the last sign parameter

Another important point is that if the client is a native APP, the code must be obfuscated and encrypted to prevent decompilation. Then this key is changed regularly, and the key is changed as the version is updated

Another method is to request an encrypted address for all the parameters to be submitted before submitting the parameters. This address will return an encrypted token based on your parameters. You take this token and then submit the actual parameters, and the backend will do it. Verify

The disadvantage of this method is that it requires one more network request, which is only suitable for hybrid applications

I learned these from reading other blogs, and I don’t know how the interfaces of apps like Taobao and JD.com are handled

If there are no additional settings on the server, ajax cannot call your api across domains. You can also get the requested domain name to judge it

To allow access to websites you authorize
You can add Access-Token in the request header

If it is an API call of an interface nature, it should not be exposed on the public Internet; if it is ajax used for front-end js, then it must be ensured that the user can only call it after logging in, which means verifying the session.

Add token in the ajax request header, such as 

<code>$(function() {
    $.ajax({
        type: "GET",
        url: "godruoyi.com",
            beforeSend: function(request) {
                request.setRequestHeader("token", "asdadsadasdasdadadad");
            },
            success: function(result) {
                alert(result);
            }
        });
});</code>
Copy after login

Or add

to the template base class 
<code>$.ajaxSetup({
    headers: { 'token' : 'xxxxxxxxxxxx' }
});</code>
Copy after login

token can be a valid value returned from the login API. This needs to be designed by your application. All subsequent requests (to verify identity, bring the token), the server uses this token to identify the user.

Somewhat similar to Oauth2, refer to oauth2.0

Related labels:
javascript php
source:php.cn
Previous article:How to write this mysql statement in php? Next article:javascript - I'm new to php and have garbled code problems.
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
CSS only method to dynamically modify image src on click without using JavaScript I need to change the src of an image on mouse click using only css like img:active{}
From 2024-04-06 19:25:49
0
1
505
Scatterplot points do not maintain values ​​when zooming in d3.js This is my first time using d3.js, so please bear with me. I implemented it as pure JavaSc...
From 2024-04-06 18:16:26
0
1
403
JavaScript hover events on vendor-specific pseudo-elements I have the following htmlinput tag. $("input[type='range']::-webkit-slider-thumb"...
From 2024-04-06 15:35:24
0
1
274
Submit form without button using Javascript/Jquery I'm trying to submit a form without a button by calling a JavaScript function and executin...
From 2024-04-06 14:54:03
0
2
421
Customize the appearance of Bootstrap accordion headers using the CollapseDisplay class I want to style the card title of a panel with class collapseshow. In this example, it's t...
From 2024-04-06 12:53:11
0
1
376
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!