


I need to make from my client side javascript code an ajax request posting some data to the backend with jQuery.


JavaScript代码可以由各种客户端嵌入,因此我在后端启用了CORS,请求可以正常进行.后端受Basic Auth保护,并且auth标头存储在javascript客户端中.

The Javascript code can be embedded by various client so I enabled CORS on my backend and the requests go fine.The backend is protected by an Basic Auth and the auth header is stored in the javascript client.


How can I protect my backend so only my client can post data and prevent any other people from doing this.


您不能在JavaScript中存储机密.如果没有至少用户不能访问的用户名和密码,就无法保留用户名和密码(F12调试工具).即使使用 JavaScript加密,您仍然需要存储客户端上某个容易找到的秘密密钥.

You can't store secrets in JavaScript. There's no way you can hold on to a username and password without at least the user being able to get to them (F12 debugging tools). Even if were to use JavaScript encryption, you'd still need to store the secret key somewhere on the client where it can easily be discovered.

即使您信任用户, XSS 攻击也可能泄漏此用户名和密码信息发给攻击者.

And even if you trust the user, XSS attacks may leak this username and password info to an attacker.

这就是为什么OAuth 2.0在隐式授予中使用短暂访问令牌的原因与公共客户打交道.

That's why OAuth 2.0 uses short lived access tokens in an implicit grant to deal with public clients.


08-20 05:44