How to strengthen the security when obtaining data through the interface

now we get the data directly according to the id request API
but in this way, anyone who knows the user"s ID can get the data.
how to strengthen security?

Jun.16,2021

can be done in the form of token. For more information, please see the authorization mechanism of Wechat's official account.


key question:

1. Is ID traversable?
2. Is there an anti-crawling policy when crawling in batches?

solution:

1. UserId is a random hash string as far as possible, rather than a traverable string (such as self-increasing id)
2. To do a good job of current restriction, anti-brushing and anti-crawling, there are many schemes in strategy and implementation, which can be learned by yourself.

in addition, sites such as github.com can also obtain user information, but it does not cause large-scale disclosure of user privacy. Defense measures can be studied through attacks.


  • Google's authorization mechanism. If you don't understand it, you should know the authorization of Wechat interface. Refer to
  • the frequency and number of requests from the same client should be limited
  • some services also have to perform service degradation and circuit breaker mechanisms ( spring cloud has components), that is, when the service request is too high, edge services are temporarily shielded in order to ensure the core business. Of course, parameter checking and caching are also necessary. That's about all.

oAuth 2.0 , to put it simply, users return token when logging in, and token must be verified when accessing the API. Specifically, take a good look at the development document of Wechat's official account, that is, oauth2.0


ase encryption algorithm. Encrypt and protect the transmitted data


the general solution is to use token for authentication


this kind of problem. Depends on what information you get.

right.

Private information is available only to the owner. Like a cell phone number. Dude, you have a crush on that anchor. I'll call you and you can contact me yourself.
take whatever you want with non-private information. Like nicknames. It's worth nothing. Right. Real names might be useful.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e54839-44800.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e54839-44800.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?