can't do it. You can do simple verification by simple hash verification, such as CSRF TOken, but you can simulate it, but it's difficult to simply use postman
.
preventing cross-domain is just a security policy of browsers. When you use postman
, naturally there is no cross-domain concept. When do you see C code S client
have cross-domain problems.
The
http request essentially sends data to the specified url, and then the server accepts the data and returns the data according to the received data. As long as the data sent is correct, the data will be returned. Otherwise, this api will have bug.
but as long as it is data, it can be imitated. If we want to prevent this situation, we have to make efforts to increase the cost of simulation. For example, a dynamic parameter is required for each visit, so postman
cannot be generated automatically, so every time others want to debug through postman
, they need to generate such a parameter manually, which increases the cost of debugging. If it is not enough, you can expand on this parameter, such as increasing the difficulty of generating parameters, or increasing the number of parameters. For example, every time you calculate this parameter, you need to take the data in localStorage
to calculate, which increases the cost of debugging.
or you can add redirects to return a redirected url instead of putting it back directly each time, and the data is returned from this url, so that the returned redirect address needs to be copied once for each debug. Not yet, just add a few more redirects, tired debugging people. You can also add the above parameter requirements when redirecting.
of course, this can only increase the debugging cost at most, but can't stop it.
or the other party simply uses fiddler
, accesses it normally with the browser, then intercepts it with fiddler
, modifies the parameters and sends it again.
there are different solutions for different situations, and you need to consider whether you really want to do so according to your actual needs. After all, each additional layer consumes cost and experience.
Cross-domain is a limitation of browsers. Even if I can't use postman, to write a request to simulate login, I can't stop it. Although the backend can check the request source ip, these can be bypassed by setting proxies and forged request headers. In most cases, the corresponding costs and benefits are out of proportion.
besides, since other people can log in, what's the point of preventing it from logging in postman?
< H2 > one of < / H2 >
POSTMAN automatically carries the POSTMAN keyword in the submitted User-Agent by default when it submits the request, but this value can be modified.
< H2 > followed by < / H2 >
just like developing API for Android or iOS, these are not subject to cross-domain control, so you can add authentication information to your API to prevent unauthorized access.