our interface uses jwt for authentication, and the frontend needs to carry token when accessing it. There are many places where token can be written, one is that path is written to the url parameter, and the other is that you can set header. Want to know what are the advantages and disadvantages of these two ways, and which one is better?
of course, in header, it is easy to be hijacked in url. Someone qq you, send him the url, send him the token directly, and then he can do whatever he wants to do when he gets the token. In addition, writing parameters in url to url escape, is one more step than writing header.
write in the number of parameters to prevent csrf. At this time, the token should be different from each interface, for example, when you ask for an interface, you will verify the token when the next token, submits it. Writing header should be a global one. You mainly think too much about permission verification such as
. Token is stored in the local cache. If you give url to others, they will not get your token.
Previous: Doubts about the use of svn