隐藏表单输入字段以防止使用 firebug 访问的最佳方法?

发布于 2024-09-15 00:27:48 字数 761 浏览 10 评论 0原文

我有一个发布到外部 API 的表单。有一个名为 customer_token 的参数,它作为输入字段传递。它用于 API 的身份验证,每个客户都会分配一个令牌。输入字段在 Firefox 的 Firebug 中是可见的(即使它是隐藏字段)。

我该如何隐藏它?

选项 按照我最初的想法使用 javascript

我认为在提交表单之前使用 javascript 在运行时创建该输入字段并立即删除该字段将起作用,但该字段仍然会暂时出现。因此,即使一个人无法手动获取它,我担心爬虫或蜘蛛(我不知道确切的术语 - 但一些自动化脚本)可能会获取客户令牌。对此有更好的解决方案吗?表单提交后,仍显示相同的表单。

按照 Ikke 的建议使用一次性代币概念

我不确定它将如何运作? API 需要正确的客户令牌值才能处理任何请求。因此,即使要生成一次性令牌并返回,也必须发送带有客户令牌的请求。这样任何人都可以看到我的客户令牌价值,他们还可以发送请求以获取一次性令牌并使用它。那么它是如何解决问题的呢?

已解决 检查 如何将表单发布到我的服务器,然后发布到 API,而不是直接发布(出于安全原因)? 谢谢, 桑迪潘

I have a form which is posted to an external API. There is a parameter called customer_token which is passed as an input field. It is used for authentication by the API and every customer is assigned one token. The input field is visible in Firefox's Firebug (even though it is a hidden field).

How do I hide it?

Options
Using javascript as I thought initially

I think using javascript to create that input field at the run time before submitting the form and immediately removing the field will work but still the field will appear momentarily. So, even if a person can't manually get it, I am afraid that a crawler or spider (I don't know the exact term - but some automated script) may get the customer token. Is there a better solution for this? After form submission, the same form remains displayed.

Using one-time token concept as suggested by Ikke

I am not sure how it will work? The API needs the correct customer token value to process any request. So, even to generate a one-time token and return, a request with the customer token has to be sent. This way anyone is able to see my customer token value and they can also send a request to get a one-time token and use it. So how does it solve the problem?

Resolved
Check How to post form to my server and then to API, instead of posting directly(for security reasons)?
Thanks,
Sandeepan

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

污味仙女 2024-09-22 00:27:48

这是不可能的。 Firebug 只是读取 DOM 的实际状态,因此即使是在后期添加的,仍然可以检索到。

这种安全方式称为“通过隐匿性实现的安全性”,是一种非安全性。您必须以另一种方式解决它,例如让服务器代替执行请求。

您让用户将表单提交到服务器。然后使用 curl,使用正确的用户代码调用 Web 服务。

This is not possible. Firebug just reads the DOM in it's actual state, so even if it's added in a later stage, it can still be retrieved.

This way of security is called Security through obscurity and is a kind of non-security. You would have to solve it another way, like letting the server do the request in stead.

You let the user submit the form to the server. Then with curl, you make the call to the webservice with the correct user code.

无声静候 2024-09-22 00:27:48

恐怕我认为这是不可能的。

如果 Firebug 是通过 Javascript 插入的,那么它仍然会看到该元素,因为它会监视 DOM 树。如果此输入暴露了安全漏洞,那么服务器端代码的工作就是验证/修复它。

有关 API 的更多详细信息可能会帮助某人更详细地回答这个问题。

我希望这有帮助

I don't think this is possible I'm afraid.

Firebug will still see the element if it's inserted via Javascript, as it watches the DOM tree. If this input exposes a security vulnerability then it's the job of your server-side code to validate/fix it.

More details on the API might help somebody answer this question in more detail.

I hope this helps

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文