Principle of postman request

postman can submit post requests

is not subject to cross-domain restrictions of browsers

is it possible to log in to the website so that you can log in in postman

how to restrict a website

cannot be submitted in this debug interface tool

I understand the cross-domain restrictions of browsers

for other interfaces, the submission will be successful as long as the parameters are correct, as long as the backend does not restrict what the front end does

now I am thinking about how to prevent cross-browser requests so that he can only request on this site

ask the Great God to suggest several methods

Jan.13,2022

can't do it. You can do simple verification by simple hash verification, such as CSRF TOken, but you can simulate it, but it's difficult to simply use postman


.

preventing cross-domain is just a security policy of browsers. When you use postman , naturally there is no cross-domain concept. When do you see C code S client have cross-domain problems.

The

http request essentially sends data to the specified url, and then the server accepts the data and returns the data according to the received data. As long as the data sent is correct, the data will be returned. Otherwise, this api will have bug.

but as long as it is data, it can be imitated. If we want to prevent this situation, we have to make efforts to increase the cost of simulation. For example, a dynamic parameter is required for each visit, so postman cannot be generated automatically, so every time others want to debug through postman , they need to generate such a parameter manually, which increases the cost of debugging. If it is not enough, you can expand on this parameter, such as increasing the difficulty of generating parameters, or increasing the number of parameters. For example, every time you calculate this parameter, you need to take the data in localStorage to calculate, which increases the cost of debugging.

or you can add redirects to return a redirected url instead of putting it back directly each time, and the data is returned from this url, so that the returned redirect address needs to be copied once for each debug. Not yet, just add a few more redirects, tired debugging people. You can also add the above parameter requirements when redirecting.

of course, this can only increase the debugging cost at most, but can't stop it.

or the other party simply uses fiddler , accesses it normally with the browser, then intercepts it with fiddler , modifies the parameters and sends it again.

there are different solutions for different situations, and you need to consider whether you really want to do so according to your actual needs. After all, each additional layer consumes cost and experience.


Cross-domain is a limitation of browsers. Even if I can't use postman, to write a request to simulate login, I can't stop it. Although the backend can check the request source ip, these can be bypassed by setting proxies and forged request headers. In most cases, the corresponding costs and benefits are out of proportion.
besides, since other people can log in, what's the point of preventing it from logging in postman?


< H2 > one of < / H2 >

POSTMAN automatically carries the POSTMAN keyword in the submitted User-Agent by default when it submits the request, but this value can be modified.

< H2 > followed by < / H2 >

just like developing API for Android or iOS, these are not subject to cross-domain control, so you can add authentication information to your API to prevent unauthorized access.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1b3c1cf-2c2f1.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1b3c1cf-2c2f1.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?