APP接口安全问题
如何保证安全性呢?
大家做APP接口是如何保证安全的呢
网上有几种方法
1.提交用户名和密码,但是很多接口是公开的
2.生产客户端和服务端一样的token , 如果是以时间的话,那么59分发送过去,服务端01分才接受到,那么就会数据错误
3.有什么方法解决呢 亲?
回复内容:
如何保证安全性呢?
大家做APP接口是如何保证安全的呢
网上有几种方法
1.提交用户名和密码,但是很多接口是公开的
2.生产客户端和服务端一样的token , 如果是以时间的话,那么59分发送过去,服务端01分才接受到,那么就会数据错误
3.有什么方法解决呢 亲?
首先,HTTPS能上就上,抗抓包能力强。
其次,客户端和服务器共享一套加密或者散列算法,参数中加入随机验证参数,服务器识别验证。
最后,可以在头中定义一些特殊的验证参数验证来源(当然也包括类似Token的东西)。
不过,这些都是在客户端不会被反编译的情况下才有效。
第一个问题,很多接口都是需要token或者说key来调用的,当然不排除一些开放的接口。你都有用户名和密码去调用了。还有什么安全性,顶多就是做一些防止暴力破解的机制
第二个问题,大部分通过时间戳加密的都会在传递参数的过程中把这些加密参数完全传递(当然还有一些私有的密钥,这个只参与加密过程,并不会传递,也不会放到外面让大家看到的。貌似之前有个微信二次开发的提供商,把大量的appsecrect暴露,引起了XXX),也就是说系统接到请求,以接到的请求数据进行加密对比。
第三个问题,如果你理解上面说的,应该就懂了。。
附一个简单的加密流程
第三方:appid,appsecrect[私密的]
app接口:appid,appsecrect
第三方调用app接口会传递:appid+时间戳+md5(appid+时间戳+appsecrect),注意这里的appsecrect在调用app时,并不会参与传递。
app接到请求:得到请求中的appid+时间戳,通过appid在存储中获取appsecrect 然后进行md5(appid+时间戳+appsecrect),通过这个串同第三方的md5加密后的串进行比对,如果不同则抛出错误
HTTPS + SSLPinning + Token
1.HTTPS
2.签名机制(Token)
3.接口内容加密(RES/AES)
4.oauth2
公钥传输私钥加密
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
CakePHP Project Configuration
Sep 10, 2024 pm 05:25 PM
In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
CakePHP Date and Time
Sep 10, 2024 pm 05:27 PM
To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.
CakePHP File upload
Sep 10, 2024 pm 05:27 PM
To work on file upload we are going to use the form helper. Here, is an example for file upload.
CakePHP Routing
Sep 10, 2024 pm 05:25 PM
In this chapter, we are going to learn the following topics related to routing ?
Discuss CakePHP
Sep 10, 2024 pm 05:28 PM
CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
CakePHP Creating Validators
Sep 10, 2024 pm 05:26 PM
Validator can be created by adding the following two lines in the controller.
