当前位置: 文江博客话题详情

如何将表单发布到我的服务器,然后发布到 API,而不是直接发布(出于安全原因)?

发布于 2024-09-16 12:01:26 字数 617 浏览 4 评论 0原文

与 API 集成,用于进行实时在线课程。 API 希望我们将一个表单以及一个名为 customer_token 的参数作为输入字段发布到他们的网站。它用于 API 的身份验证,每个客户站点都会分配一个令牌。客户令牌实际上是域名或IP之类的一些哈希值。

现在,在集成之后,他们希望我以某种方式隐藏 customer_token 输入字段,使其无法通过 mozilla 的 firebug 和类似工具进行访问,因为任何人都可以看到该令牌并向 API 发送类似的表单并访问API的服务。不用说,API 并不是由某些专家开发的。他们之前没有意识到这个问题,而且它并不是一个广泛使用的 API。

我之前在 上问过一个问题隐藏表单输入字段以防止使用 firebug 访问的最佳方法? 并意识到不可能通过 get/post 方法隐藏任何信息。有人问我请求是直接发送到api,还是先发送到我的服务器什么的?

请解释它如何解决安全问题以及如何实施?

谢谢, 桑迪潘

原文

There is an integration with an API for conducting live online classes. The API wanted us to post a form to their site along with a parameter called customer_token as an input field. It is used for authentication by the API and every customer site is assigned one token. The customer token is actually some hashed value of the domain name or IP or something.

Now, after the integration, they want me to hide the customer_token input field somehow from being accessible through mozilla's firebug and similar tools, because anybody can see the token and send a similar form to the API and access the API's service. Needless to say, the API is not developed by some experts. They did not realize the issue before and it is not a widely used API.

I asked a question previously on Best way to hide a form input field from being accessed using firebug? and realised that it is not possible to hide any information through a get/post method. Someone asked me about whether the request is directly being sent to the api, or first to my server or something?

Please explain how does it fix the security issue and how do I implement it?

Thanks,
Sandeepan

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

我是有多爱你 2024-09-23 12:01:26

您可以 POST 到您的服务器,该服务器在脚本中将所有参数 POST 到 API 表单操作,但在服务器端脚本中添加了 customer_token,客户端无法看到该内容。

因此,您拥有原始形式:

<form action="http://someapi.com/blah" method="POST">
    <input type="hidden" name="customer_token" value="foo">
    <input type="text" name="whatever">
    ...
</form>

并改为使用:

<form action="myapiblah.php" method="POST">
    <input type="text" name="whatever">
    ...
</form>

请注意,第二个示例中没有 customer_token 。然后,在 myapiblah.php 中 - 明显更改名称,特别是根据您使用的服务器端语言。如果您告诉我您使用什么,我也许可以提供更具体的示例 - 使用类似以下伪代码的内容:

parameters = $_POST;
parameters['customer_token'] = 'foo';
send_http_request('POST', 'http://someapi.com/blah', parameters);

您需要查找 send_http_request 使用内容的详细信息。

在 PHP 中,如果您可以在 PECL 中使用 pecl_http 内容,您会执行类似的操作:

$params = $_POST;
$params['customer_token'] = 'foo';

$req = new HttpRequest('http://someapi.com/blah', HttpRequest::METH_POST);
$req->addQueryData($params);
try {
    $r->send();
    if ($r->getResponseCode() == 200) {
        // success!
    }
    else {
        // got to the API, the API returned perhaps a RESTful response code like 404
    }
}
catch (HttpException $ex) {
    // couldn't get to the API (probably)
}

You could POST to your server, which in a script, POSTs all the parameters to the API form action, but with the customer_token added in your script, server-side, which clients can't see.

So, you have your original form:

<form action="http://someapi.com/blah" method="POST">
    <input type="hidden" name="customer_token" value="foo">
    <input type="text" name="whatever">
    ...
</form>

And instead use:

<form action="myapiblah.php" method="POST">
    <input type="text" name="whatever">
    ...
</form>

Note that there's no customer_token in the second example. Then, in myapiblah.php - change the name obviously, especially depending on the server-side language you're using. I might be able to provide more specific examples if you tell me what you use - use something like this psuedo-code:

parameters = $_POST;
parameters['customer_token'] = 'foo';
send_http_request('POST', 'http://someapi.com/blah', parameters);

You'll need to look up the details of what to use for send_http_request.

In PHP, you'd do something like this, if you can use the pecl_http stuff in PECL:

$params = $_POST;
$params['customer_token'] = 'foo';

$req = new HttpRequest('http://someapi.com/blah', HttpRequest::METH_POST);
$req->addQueryData($params);
try {
    $r->send();
    if ($r->getResponseCode() == 200) {
        // success!
    }
    else {
        // got to the API, the API returned perhaps a RESTful response code like 404
    }
}
catch (HttpException $ex) {
    // couldn't get to the API (probably)
}
回复 原文
少年亿悲伤 2024-09-23 12:01:26

你问你的是对的!表单是否首先发送到网络服务器?这意味着网站发布到一个普通的 url,apache 或其他网络服务器接受请求,或者表单是否转到特定服务(例如网络服务器,这也只是侦听端口的服务 - 网络服务器的端口 80,大多)。如果您隐藏网络表单中的某个字段,那么它就没用了。如果您查看该网站的源代码,您仍然可以看到隐藏字段。!!

the you asked you is right! does the form goes first to the webserver? this means is the site posted to a normal url for which apache or onother webserver takes the request or does the form goes to a specific services (like a webserver, which is also only a services which listens on a port - port 80 for webservers, mostly). if you hide a field in a webform, it is useless. if you take a look at the source code of the site you still can see the hidden field.!!

回复 原文
~没有更多了~

关于作者

友欢

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文