问题描述
我的研究表明,只有Host,Referer和User-Agent标头可以被欺骗。
()
My research shows that only the Host, Referer, and User-Agent headers can be spoofed.(source)
这是一个正确的假设吗?我正在建立的网站的安全性可能要求x-requested-with不能伪造。这远非理想,但可能是我唯一的途径。
Is this a correct assumption to make? The security of a site I am building may require that "x-requested-with" cannot be faked. This is far from ideal but may be the only avenue I have.
推荐答案
HTTP中的任何内容都可以被欺骗。 欺骗性的程度很难确定。使用我想要的任何标题值来制作请求是相当简单的。
Just about anything in HTTP can be spoofed. The level of 'spoofability' is hard to determine. It's fairly trivial to craft a request with any header value I desire.
如果这是你唯一的选择,那就这样吧,但我不想使用依赖它的网站来做任何重要事情。
If it's your only option, so be it, but I wouldn't want to use a site that relied on it for anything important.
这篇关于可以“x-requested-with” http标头是欺骗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!