保护Web App数据源的想法
我正在开发一个新的 Web 应用程序,其中通过 Ajax 请求请求大量内容(文本、图像、元数据)。
用户无需身份验证或登录即可访问此内容。
我担心的是,您可以轻松查找数据源 URL 并直接在应用程序外部点击它来获取大数据。在某些方面,如果您能做到这一点,您可能可以在其他地方抓取也包含此内容的静态 HTML 页面。
对于混淆、隐藏或以其他方式使直接访问数据变得非常困难的方法有什么建议吗?
示例:网络应用 HTML 页面包含每 30 分钟重新发布一次的密钥。在服务器端,数据根据此密钥进行混淆。为了获取应用程序外部的数据,您需要找出数据源,但还需要每 30 分钟抓取页面一次密钥的额外步骤。
我意识到没有 100% 的方法可以阻止某人,但我更多地谈论威慑。
I'm working on a new web app where a large amount of content (text, images, meta-data) is requested via an Ajax request.
No auth or login required for a user to access this.
My concern is that you could easily lookup the data source URL and hit it directly outside the app to get large data. In some ways, if you can do this you could probably scrape the static HTML pages elsewhere that also have this content.
Are there any suggestions on methods to obfuscate, hide, or otherwise make it very difficult to access the data directly?
Example: web app HTML page contains a key that is republished every 30 min. On the server side the data is obfuscated based on this key. In order to get the data outside the app you'd need to figure out the data source but also the extra step of scraping the page for a key every 30 min.
I realize there is no 100% way to stop someone, but I'm talking more about deterrence.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在您的网络应用中使用会话。当收到第一页的有效请求时进行记录(例如,数据库条目或服务器端代码可以访问的某些其他机制),并在第二页中包含代码,以便在处理没有相应会话条目的请求时排除数据。
显然,如何做到这一点的细节因语言而异,但大多数强大的网络平台都会支持会话,主要是出于这种类型的原因。
Use sessions in your webapp. Make a note (e.g. database entry or some other mechanism which your server-side code can access) when a valid request for the first page is received and include code in the second page to exclude the data when processing a request without a corresponding session entry.
Obviously the specifics on how to do this will vary between languages, but most robust web platforms will support sessions, largely for this type of reason.
如果您想要显示实时数据并担心抓取工具...如果这是一个足够大的问题,那么我建议使用 flash 而不是 JS (AJAX)。使用 Flash 对象显示数据。 Flash 可以像 AJAX 一样向服务器发出实时发送/接收请求。但Flash的好处是整个阶段、数据、代码等都在一个flash对象内,无法被抓取。 Flash 对象发出请求,您将内容输出为加密代码字符串。在闪存中对其进行解密并从那里显示。
If you are wanting to display real-time data and are concerned about scrapers...if this is a big enough concern, then I suggest doing it with flash instead of JS (AJAX). Have the data display withing a flash object. Flash can make real-time send/receive requests to the server just like AJAX. But the benefit of Flash is that the whole stage, data, code, etc.. are within a flash object, which cannot be scraped. Flash object makes the request, you output the stuff as a crypted string of code. Decrypt it within flash and display from there.
回答你自己的问题,因为如果数据值得获取,那么它就会被获取,因为你的混淆只会使其更难找到。
您可以在服务器端脚本中处理 ajax 并返回数据检查请求来自何处。
Answers your own question because if the data is worth getting it will be obtained because you are obfuscating is merely making it harder to find.
You could in the server side script processing the ajax and returning the data check where the request came from.