Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
Hazrat Hajikerimov2018-02-06 21:04:02
API
Hazrat Hajikerimov, 2018-02-06 21:04:02

Protecting the token on the client side?

What are the ways to protect the token on the client side?
Let's say there is a website, on the front, at a certain event, a request is sent to a third-party service for storing data, and so I'm interested, any ill-wisher can simply copy the token and, for example, clear the storage.
example url with a token:
https://example.com/4508hghgh34g87r34545/get - read
https://example.com/4508hghgh34g87r34545/set - write
what tools can be implemented in the service to protect against simple copying?
Naturally, in addition to CORS, it is included.
I'm more worried that the user can send a request to overwrite data directly in the console.
In general, it is interesting to learn the world practices of protecting the token on the client

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
D
Dmitry Entelis, 2018-02-06
@DmitriyEntelis

I'm more worried that the user can send a request to overwrite data directly in the console.
Everything that went to the client - you no longer belong.
If you want to somehow get attached to the business logic of your project, your statuses, etc. - write a mini service on your backend that will forward requests to an external service, at the same time doing all the necessary checks for business logic, etc.

Report
I
InoMono, 2018-02-06
@InoMono

Authorization. Divide and rule.
There is no need to give each cross-counter more rights than he needs to perform everyday tasks.
To perform rare tasks, you can require authentication again. Haven't you ever met - you can do anything on the site, but when you change key information in your personal account, you are required to enter the password again.

Report
S
Stanislav Bodrov, 2018-02-08
@jenki

The essence of the token is to prevent access to its contents under any circumstances.
Data enters, is processed, exits. Everything. He is a black box. No requests and persuasions can be considered something from it. So

I'm more worried that the user can send a request to overwrite data directly in the console.
even reading its contents (key, certificate) is a sufficient condition for compromising.
Therefore, in reality, the token is a separate service, inaccessible from anywhere, that receives data and returns the processed data. How he does it must be a mystery.

Similar questions
A
Alexander Nikolaevich2017-06-25 15:01:39
Where is the navmenu-v element? 1Reply
K
keddad2020-01-09 17:03:45
Can a race condition in a multi-threaded application cause problems when working with the database and how to deal with it? 2Reply
I
Igor M2019-06-12 13:44:21
How to query the Google Analytics Reporting API? 1Reply
M
MagnusDidNotBetray2021-01-31 22:35:54
Why is the messages.editChatAdmin method not working? 0Reply
Z
zed1cus2015-01-20 17:46:11
How to access google spreadsheets? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question