now the project I am working on is separated from the front and rear ends, mainly the development of the api interface. The login logic is like this.
first, the user logs in with the account password. If it is correct, the user will automatically generate a token, and store the token in the redis, and return the token to the front end. After that, the front end will add a "X-TOKEN" header to the head of the http every time the api API is called, and the value is stored in it. You will then compare the token with the one in redis to see if it is successful.
the problem is that if someone intercepts and acquires this token value, for example, a user connects to his home"s wifi, and then designs an ajax to store the token value according to that logic and then accesses the api interface, isn"t it possible to get the data directly? where is the security of doing so?