确保前端的凭据
我正在使用React-Native创建一个应用程序。该应用需要一些敏感的数据,这些数据必须安全存储,并且有多种选择,例如,博览会店。
现在,我对将数据固定在前端感到困惑。
我正在使用React-Native-Async存储将其他数据存储在前端。
现在,将其用于敏感数据被视为不良习惯。
但是我的问题是,说我使用博览会店来敏感数据,但是在这样的保存时;
SecureStore.setItemAsync(key, value);
如果值为敏感的部分,则在将其设置在代码中时仍然不会暴露出来。
请解释这一点,并描述一些更好的实践,以存储(或访问)敏感数据在前端。
谢谢!
I am creating an app using react-native. This app requires some sensitive data which must be stored securely and there are various options for that e.g, expo-secure-store.
Now i am a but confused regarding securing the data on front end.
I am using react-native-async-storage to store other data on front end.
Now it is treated as a bad practice to use the same for sensitive data.
But my question is, say i use expo-secure-store for sensitive data, but at the time of saving it like this;
SecureStore.setItemAsync(key, value);
where value is the sensitive part, isn't that still getting exposed while setting it in the code.
Please explain this and describe some better practices to store (or access) sensitive data on front end.
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Google Maps Android SDK的文档具有将API密钥用法限制为应用指纹的说明: https://developers.google.com/maps/documentation/android-sdk/get-api-key
这降低了将密钥包含在您的应用程序中的风险从与应用程序证书的指纹匹配的来源中使用。
实际上,Google Maps API密钥的价值相当低,并且不是不良演员的最吸引人的目标。前端API键很敏感,因为您可以为其使用而受到费用,但是除非您具体针对性,否则它不是攻击向量。
真正敏感的密钥,就像用于生成验证凭证或付款数据的密钥一样,应始终保存在后端,任何体面的第三方服务都将以强迫情况(例如Stripe)进行设置。 。
您可能会通过询问如何或何时存储特定键来获得更好的答案。
The documentation for the Google Maps Android SDK has instructions for restricting the API key usage to an app fingerprint: https://developers.google.com/maps/documentation/android-sdk/get-api-key
This reduces the risk of including the key in your app by only allowing the key to be used from a source that matches the fingerprint of the app certificate.
In practice the value of a Google Maps API key is fairly low, and is not the most attractive target for a bad actor. Frontend API keys are sensitive in that you can be billed for their usage, but unless you are specifically targeted, it's not a likely attack vector.
Truly sensitive keys, like those used to generate auth credentials or payment data, should always be kept on the backend, and any decent third-party service will be set up in a way that forces this to be the case (for example, Stripe).
You may get better answers by asking how or when to store specific keys.