I want to defend my login page against CSRF, but I don"t know what to do
now the page uses axios+ Tencent verification code (AJAX)
I want to defend my login page against CSRF, but I don"t know what to do
now the page uses axios+ Tencent verification code (AJAX)
add a unique header header, and the background only receives requests with that header header. And verify its value.
add authentication to the source of the request refferer, and reject all requests other than your own.
set access control allow origin to several sites you need. Or cross-domain requests are not open at all.
you can use both token and signature verification, which requires both the front end and the server.
1. User submissions are detected through referer, token, or CAPTCHA.
2. Try not to expose users' private information in the links on the page.
3. It is best to use the post operation for actions such as user modifications and deletions.
4. Avoid the general cookie of the whole station, and strictly set the domain of cookie.
Previous: Time-consuming JS will cause frame loss. How to understand this sentence?
Next: Can Mini Program\ h5 obtain the IP address of the client?
description: a regular match is given to the content of an input box, and the matching content is the product activation code. looks like this: "0C31-0B81-BB32-3094-0C31-0B81-BB32-3094 " Code: $( -sharplicenseCode ).keyup(function () { le...
what should I do now to get the name value inside? ...
recently I want to write a trial hand of a project with front and rear separation. since I have been self-taught nodejs, all this time, the idea is to build a back-end server with express framework, but in this way I don t know what to do in the middle...
because vue-router has "- sharp " by default, but when forwarding the address in Wechat s official account, the address "- sharp ", including all future addresses, will be removed directly, resulting in the inability to share the page. so I set the ...
when validating with jquery validate, using the valid () method will prompt all the form error messages. How to do form validation without displaying all failed messages when using the valid () method $("-sharpftpwd_tel...
customers are required to click the download button on the page to jump directly to the default browser instead of submitting and clicking the button in the upper right corner. I have also seen this practice, how can it be realized? ...
excuse me, now that we have done app on the web, we have encountered the problem of dropping the line behind the screen of the Android phone. I wonder if apicloud has a third-party service that can be pushed to the customer s notification bar even if th...
the two domain names doamin are different, is there any way to achieve cookie sharing? Boss solution ...
match `~! @-sharp$% ^ & * () _ +-= [] {} |;: ",. < >? these special symbols, how to write regular, always report errors. I don t know what needs to be escaped ....
...