in writing a WEB API, I now put TOKEN in the web request header HEADER and use HTTPS to communicate with the server.
will you be hijacked to TOKEN? A little worried about falsifying requests. Ask for advice ~ Thank you!
in writing a WEB API, I now put TOKEN in the web request header HEADER and use HTTPS to communicate with the server.
will you be hijacked to TOKEN? A little worried about falsifying requests. Ask for advice ~ Thank you!
token is used to ensure the trustworthiness of the data source. As for token itself, the security does not fall within its responsibility.
for example, if the information is generated with jwt, the information stored in it is not encrypted. He only ensures that the information in it is correct. For example, {id:12345} I use this data to generate a token , this token is divided into three pieces of information. The first paragraph is the header Header . The second part is our data Payload , through base64 encryption, the third part is the encrypted signature, generated by Header and Payload as well as our private key.
when the client accesses the server with this token , I will verify the integrity of the whole data through our private key. If verified, it shows that this information is credible. When the information is tampered with, for example, someone gets token and changes the data to {id:56789} , but he does not have a private key, so he cannot generate a correct signature. When the server verifies token , we know that the data has been tampered with, and then perform the corresponding processing.
this is the function of token to ensure the credibility of the data. Make sure that this token is within its limits of authority, but not beyond its limits, such as the information of other users.
of course, you can add other measures according to your needs, such as not wanting others to know the data in token , then you can encrypt this data.
or beware that this token will be obtained by others, as a result of the user's loss. That needs to be ensured by adding other means, such as verifying the visiting ip, such as setting a shorter expiration time, such as the HTTPS you use, or adding more validation, and so on. Reduce the chance of being stolen by increasing the theft cost of a third party.
you can think of token as the bank's banknote detector, which is responsible for verifying that the counterfeit banknotes are all real money. As for whether the money is stolen or obtained by a normal exchange, it is not controlled by the banknote detector, it is managed by the police uncle.
refer to
what is JWT-- JSON WEB TOKEN
server side authentication artifact-- JWT (1)
from-being-hijacked-and-used-to-pose-as-the-original-user"" Rel= "nofollow noreferrer" > What protects a JWT from being hijacked and used to pose as the original user?
What if JWT is stolen?
ide-handling-of-jwt-tokens" rel= "nofollow noreferrer" > Best practices for server-side handling of JWT tokens
A timing examination system is triggered if the click event is triggered within 5 seconds, and if it is not triggered, the system marks the correct answer at the end of the countdown. How to implement ...
description: a regular match is given to the content of an input box, and the matching content is the product activation code. looks like this: "0C31-0B81-BB32-3094-0C31-0B81-BB32-3094 " Code: $( -sharplicenseCode ).keyup(function () { le...
I configured the MIME type of the file with the amr suffix in the apache configuration as application ms-download, Why it is a garbled page when opening a file in amr format using window.open in chrome, while a file in amr format can be successfully dow...
I got a set of data, which is to choose the type of question. How can I tell if I have chosen the right one answera: "Olympic Games " answerb: "Asian Games " answerc: "Paralympic Games " answerd: "University Games " id: "1772 " question: "f...
...
do the gods have plug-ins for uploading attachments in the mobile version that can also be uploaded more than one? ...
wrote an H5 page. According to the official description of Wechat jssdk, it is found that the shared icons and descriptions are invalid. the code is like this ....
what is the current level of support for vw,vh layouts in mobile browsers? ...
...
the traditional position: fixed; is relative to the window, and there are two main points of the problem . relative to the specified parent element fixed positioning encountered the following problems in mobile development. The green box is the...
this method is included in the constructor of most components, so what exactly is this method for constructor(props,context){ super(props,context) } ...
adopt a reward of 10 yuan, 1045 Access denied for user root @ localhost (using password:NO) recently, when I was at the front end of my self-study, I came into contact with a little bit of database. This happened when I made a new connection on ...
the original domain name of our company s website has expired. I want to change it to another domain name. How can I change it? The website is developed using Aliyun s Yunmeng. ...
as shown in the red box of the second picture, is there any recommendation for this plug-in? Thank you. the screenshot is uploaded, so let s just look at it. nothing can be found in vueawesome. ...
http: shrek.imdevsh.com demo. ask for help: the principle of inertia retardation effect in demo touchmove ...
I would like to ask why the clear floating code I wrote is invalid. and. How to use the flex layout to make the horizontal arrangement of the above two div fill the entire screen. The third div is filled with the bottom location. code is as follows: `...
want to explain how to make table different colors? is not different. is . <table> <tr> <td width="100">a< td> <td><a>< td> < tr> <tr> ...
I ve been looking for it for a long time, but I can t find it. 1. After the direct upload of web is completed, the server cannot know whether the file was uploaded successfully, who uploaded it, and the information of the file 2. Using web to dire...
is not to analyze user browsers, but to evoke Wechat app in Weibo app and open a link with Wechat app; WeChat Work can have this function, whether Weibo has a similar configuration. ...
there is an h5 page embedded in the encapsulated APP. After the function of issuing an order, how can I get the user s id to add the address and place the order ...