Before and after the end of the data transmission is peeping, was caught, was forged from time to time, then interface security is particularly important, small thousands of today to share a design of safe API interface scheme article, need students quickly click in the collection and save it.
Not all interfaces need to consider security, some interfaces are public, anyone can call as long as they know the address, for some projects require user login to access the interface need to consider security issues.
General solutions are as follows:
Token token authentication (JWT) AK (app Key) &SK (Secret Key) [Username & Password] Timestamp timeout authentication + Signature algorithm String URL signature (algorithm, Asymmetric algorithms) data desensitization (to prevent database data leakage) HTTPS IP black/white list (server level restrictions, Apache, Nginx) oAuth2.0
About the JWT:
Json Web Token (JWT) is a token-based authentication mechanism. Similar to the HTTP protocol, it is stateless and does not need to retain user authentication information or session information on the server, facilitating application expansion. JWT has the following advantages:
JWT can store some non-sensitive information necessary for other business logic in itself for easy transmission. The structure of JWT is very simple and occupies a small byte, so it is very easy to transmit. It does not need to store session information on the server side. So it is ideal for projects where the front and back ends are separated
The workflow of authentication using JWT is as follows (emphasis) :
The user uses the user name and password to request the server. The server authenticates the user’s information (check the database). The server sends the user a token (token) through authentication. And return the data
JWT is made up of three pieces of information (header, payload, signature), and these three pieces are used. Concatenated together to form a JWT string of the following form:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6IjNmMmc1N2E5MmFhIn0.eyJpYXQiOjE1NTk1Mjk1MjksImlzcyI6Imh0dHA6XC9cL3d3dy5peW5u LmNuIiwiYXVkIjoiaHR0cDpcL1wvd3d3Lml5bm4uY24iLCJuYmYiOjE1NTk1Mjk1MjgsImV4cCI6MTU1OTUzMzEyOSwianRpIjoiM2YyZzU3YTkyYWEiLCJ1 c2VyX2lkIjoxfQ.4BaThL6_TbIMBGLIWZgpnoDQ-JlAjzbiK3y3BcvNiGICopy the codeAmong them:
The header contains two (and possibly more) pieces of information, the declaration of the type and the encryption algorithm used.
A complete header looks like the following JSON:
{
'typ': 'JWT',
'alg': 'HS256'
}
Copy the codeThe header is then base64 encrypted/encoded (which can be decrypted symmetrically), resulting in the first part of the JWT.
-
Payload, “body,” is a place where valid information is stored. This valid information consists of three parts
-
Declaration of conventions in the standard (recommended but not mandatory)
-
Issued by people
-
The user
-
The issuance of time
-
The period of validity
-
.
-
Public statement
-
Private declaration
Define a payload:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
Copy the codeBase64 encryption remains, which leads to the second part of JWT.
-
Signature. This visa information consists of three parts:
-
Base64 encoded
-
header
-
payload
-
secret
Such as:
var encodedString = base64UrlEncode(header) + '.' + base64UrlEncode(payload);
var signature = HMACSHA256(encodedString, 'secret');
Copy the codeThis gives us the third part of the JWT.
var jwt = encodedString + '.' + base64UrlEncode(signature);
Copy the codeFinally, concatenate the three pieces of information through. To get the final JWT string. You don’t need to write how JWT is generated. Therefore, this process can be understood.
One thing to note
Secret is stored on the server side
JWT issuance generation is also on the server side
Secret is used for JWT issuance and JWT validation
Therefore, secret is the private key of the server and should not be disclosed in any scenario. Once other people (including users on the client side) know about this Secret, it means they can self-issue JWT, and the interface is not secure.
From: zhuanlan.zhihu.com/p/347201039