javascript - How to do security verification in ajax API?

In the web, when using Ajax to call API, how to do security verification to prevent other websites from calling it?

How to solve the interface security problem if it is an APP call? And how can the API not be exposed to the public network? As long as your APP can be called, doesn't it count as being exposed to the public Internet?

Reply content:

In the web, when using Ajax to call API, how to do security verification to prevent other websites from calling it?

How to solve the interface security problem if it is an APP call? And how can the API not be exposed to the public network? As long as your APP can be called, doesn't it count as being exposed to the public Internet?

Ajax cannot solve the problem across domains. Cross-domain simulation requests can be sent through the server to obtain ajax data

There are two methods, but they are basically similar, one is the request header, and the other is to add the input token to the page. But the main problem in these two methods is to encrypt the token
For example, token = md5(IP + random number + timestamp + UID + session_secret) In fact, you can just define the content yourself, mainly encryption

Put the encrypted content into the session, and set the expiration time for the session

1. If you want to request the header

Add the access_token request header, obtain the content of the request header in the background, and then compare it with the value in the session. If it is tried, it will prove that there is no problem, and then the session will be invalid.

2. It is similar to the request header, but the encrypted value is placed in the input hidden. When submitting ajax, this value is obtained and placed in the parameter.

Answer your questions on the app behind you

To access the APP, it must be on the public network. Our current security solution is parameter encryption

For example, if you want to submit a=1&n=2

Then the parameters must be encrypted when actually submitting, mid=xxx&a=1&b=2&sign=md5(' mid=xxx&a=1&b=2'+key)

mid represents an account for the client to call the interface, and the account corresponds to a key

The server must check whether the submitted parameters are correct every time, which is the last sign parameter

Another important point is that if the client is a native APP, the code must be obfuscated and encrypted to prevent decompilation. Then this key is changed regularly, and the key is changed as the version is updated

Another method is to request an encrypted address for all the parameters to be submitted before submitting the parameters. This address will return an encrypted token based on your parameters. You take this token and then submit the actual parameters, and the backend will do it. Verify

The disadvantage of this method is that it requires one more network request, which is only suitable for hybrid applications

I learned these from reading other blogs, and I don’t know how the interfaces of apps like Taobao and JD.com are handled

If there are no additional settings on the server, ajax cannot call your api across domains. You can also get the requested domain name to judge it

To allow access to websites you authorize
You can add Access-Token in the request header

If it is an API call of an interface nature, it should not be exposed on the public Internet; if it is ajax used for front-end js, then it must be ensured that the user can only call it after logging in, which means verifying the session.

Add token in the ajax request header, such as

<code>$(function() {
    $.ajax({
        type: "GET",
        url: "godruoyi.com",
            beforeSend: function(request) {
                request.setRequestHeader("token", "asdadsadasdasdadadad");
            },
            success: function(result) {
                alert(result);
            }
        });
});</code>

Or add

to the template base class

<code>$.ajaxSetup({
    headers: { 'token' : 'xxxxxxxxxxxx' }
});</code>

token can be a valid value returned from the login API. This needs to be designed by your application. All subsequent requests (to verify identity, bring the token), the server uses this token to identify the user.

Somewhat similar to Oauth2, refer to oauth2.0