在混合应用程序中,如何确认只有您的应用程序正在访问服务器端页面
In hybrid app, how to confirm that only your app is accessing the server-side pages
混合应用显然有点新,所以很难找到这方面的好信息。我知道我需要在我的服务器端页面上允许跨源资源共享,但这显然增加了一个安全漏洞。在 phonegap/cordova 应用程序上,我只有通过 ajax 调用我的服务器端页面的客户端控制。这意味着任何人都可以访问我的 php 页面。这意味着任何人都可以通过访问我的所有数据(如帐户信息等)来模仿我的应用程序。我的问题是如何确认只有我的应用程序正在访问这些页面?请提供具体的编码示例。
这里每天都会有人问这个问题。
你想做的事情在逻辑上是不可能的。没有解决办法。您无法控制客户端。
我在这个博客 post: Client authenticity is not the server's problem 中回答了你的问题,许多其他人也喜欢它。
One of the most basic rules of application security is input validation. The reason this rule is so fundamental is because your server only has control (and visibility) over the software running on itself. Every other device on the Internet is a black box that you can communicate with over networking protocols. You can't see what it's doing, you only see the messages that it sends.
...
The server should remain agnostic to the client.
The software on the client and the software on the server should have a mutual distrust towards each other. Any messages that the server receives should be validated for correctness and handled with care. Data should never be mixed with code if you can help it.
...
The take-away is: Instead of trying to control your users, focus on making their misbehavior inconsequential to the stability and integrity of your server.
混合应用显然有点新,所以很难找到这方面的好信息。我知道我需要在我的服务器端页面上允许跨源资源共享,但这显然增加了一个安全漏洞。在 phonegap/cordova 应用程序上,我只有通过 ajax 调用我的服务器端页面的客户端控制。这意味着任何人都可以访问我的 php 页面。这意味着任何人都可以通过访问我的所有数据(如帐户信息等)来模仿我的应用程序。我的问题是如何确认只有我的应用程序正在访问这些页面?请提供具体的编码示例。
这里每天都会有人问这个问题。
你想做的事情在逻辑上是不可能的。没有解决办法。您无法控制客户端。
我在这个博客 post: Client authenticity is not the server's problem 中回答了你的问题,许多其他人也喜欢它。
One of the most basic rules of application security is input validation. The reason this rule is so fundamental is because your server only has control (and visibility) over the software running on itself. Every other device on the Internet is a black box that you can communicate with over networking protocols. You can't see what it's doing, you only see the messages that it sends.
...
The server should remain agnostic to the client.
The software on the client and the software on the server should have a mutual distrust towards each other. Any messages that the server receives should be validated for correctness and handled with care. Data should never be mixed with code if you can help it.
...
The take-away is: Instead of trying to control your users, focus on making their misbehavior inconsequential to the stability and integrity of your server.