About the problem of separating the data interface between the front and back end?

the company has a small project that separates the front and back end, that is, I use ajax to request the data interface provided by the back end (mainly some text content) in js. Some colleagues have raised their own questions about this practice, that is, the data interfaces are all written in js, so they may be maliciously damaged by others by checking the address of the data interface of js, such as repeatedly cycling to this interface, resulting in a heavy load on the server.

question: will front and rear separation cause security problems such as the above? How to avoid it effectively?


that colleague of yours is limited, so don't be friends with him.
ajax requests can also be checked with various permissions. If you can crack the check, then even if you return the data through the page, can you also simulate the page request?
besides, if there is pressure on the server to adjust the interface many times, isn't it also stressful to request the page many times?


agree with the first floor, don't be friends with this colleague

there are many ways for ajax permissions, such as token verification, signature verification, etc.
the front end has no secrets from skilled people but try to
as long as someone wants to mess with your server, it is useless for you to return the page at the back end

.

I think it's normal for colleagues to ask questions and worry.
it's just that the security problem has little to do with the separation of front and rear ends. Multiple access restrictions can be easily configured in nginx.

in addition, some of the previous answers said that ajax permission verification is not the same thing as the heavy load caused by multiple visits to questions.


join in the fun, but the question of the landlord's colleagues is not mentioned.
all the questions raised by colleagues in the building are problems that should already exist in the backend. No matter whether they are separated or not, any content security placed at the front end is unreliable, and access control needs to be handled at the backend.
should focus on the separation of front and rear ends, such as what to do if there are only templates but no data SEO at the beginning of loading, such as what to do if the cache is not rendered by the server, and so on.


A client accesses the same interface multiple times will be cached, and there is no problem of excessive pressure on the server.


token permission verification, and reject repeated requests


Don't work with him as a colleague


Front-end Separation Project reference: s.notestore.cn/shop


encryption and decryption can be transmitted

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1b37c2d-2c0ca.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1b37c2d-2c0ca.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?