Secure a php proxy?

后端 未结 1 1822
挽巷
挽巷 2021-01-23 22:47

So on my site (https://example.com) I have a page that parses the last.fm API and pulls back the images off their akamai CDN and displays them on the page.

The thing is

相关标签:
1条回答
  • 2021-01-23 23:28

    Generate unique tokens. You're on the right track with a hash, but if you keep your private key constant, it'll eventually get brute-forced. From there, rainbow tables say hi.

    You're effectively going to have to borrow a leaf or two from mechanisms used to prevent CSRF abuse, as you're effectively trying to do the same thing: limit the user to one query per token, with a token that cannot be regenerated by them.

    There are tons of ways to do this, and the usual trade-off is between efficiency and security. The simplest is what you've suggested - which is easily brute-forceable. At the opposite end of the spectrum is the DB approach - generate a unique token per visit, store it in a DB, and validate subsequent calls against this. It is pretty DB-intensive but works out relatively well - and is virtually impossible to break unless the token generation is weak.

    0 讨论(0)
提交回复
热议问题