发表新帖
发表新帖

What are (if any) the security drawbacks of REST Basic Authentication with Javascript clients?

前端 未结
关注
3 813
傲寒
傲寒 2021-01-19 16:43

I have this application that consists of a REST back-end intended to servicing requests from an HTML5/JavaScript client (which I\'m also building).

I\'m planning on

相关标签:
3条回答
  • 伪装坚强ぢ
    2021-01-19 17:12

    The “hard” credentials should never be stored in an area that is accessible by Javascript, otherwise you open yourself wide to XSS attacks.

    I recommend using access tokens and storing them in HTTPS-only cookies. You do an initial exchange of hard credentials for access token, then use the token (which is time limited) for subsequent requests.

    I have written a lengthly article on this subject and It covers my answer in detail: Token Based Authentication for Single Page Apps

    Hope this helps!

    0 讨论(0)
  • 旧时难觅i
    2021-01-19 17:13

    CORS issues aside (assuming you're making rest calls to your same domain), the big concern is the client would need to have the credentials inside the javascript. Anyone would be able to read your code and use them (as you've pointed out).

    Even if the credentials are just the users own, anything in your client side could be in danger of exposure by cross site scripting or any browser plugins that can manipulate the DOM (I'm thinking for example things like the selenium testing IDE)

    0 讨论(0)
  • 长情又很酷
    2021-01-19 17:14

    Basic authentication is really basic ;-) You don't really control the session, ... Here is a link about a more advanced approach (token-based authentication) for RESTful services: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

    Otherwise I agree with the previous Robert's answer that we need to be very careful when storing credentials in the client side (XSS attacks).

    The problem with cookies is that your client needs to be a browser to leverage this feature transparently... If it's the case, you can leverage this. If you're opened to any REST clients, it could be a problem since clients need to handle cookies manually. Moreover it's really not the better approach for authentication within RESTful services ;-)

    I don't really see other approaches (exception of cookies) to implement authentication in SPA in a convenient and flexible way. Notice that JavaScript frameworks like Angular provided supports to prevent from XSS attacks.

    I give an answer here about such issue: Is there any safe way to keep rest auth token on the client side for SPA?.

    Hope it will give hints to your issue. Thierry

    0 讨论(0)
 看不清?
提交回复
热议问题