If you have a public API without authentication,
all you can do is make access as hard as possible for hackers.
换言之,在门上设置更多/复杂的锁......,但任何锁可上<>。
"Lock" code using the URI
The method we used to keep a WebComponent "safe",
was to load the WebComponent from a long URI:
(Modern browers no t 2048 nature URI limit any more)
https://domain/p1/p2/customeElements/define/secure-api/HTMLElement/p7/p8/webcomponent.js
然后,内容代码decodes URI to
let p = [domain,p1,p2,"customElements","define","secure-api","HTMLElement",p7,p8]
to execute JavaScript:
<><>条码>window[p[3]][p[4](p[5]],等值扩展窗口[p[6]]{......
More locks
如果你在BtoA/AtoB和Sting.reverse()转换中投放。
你们已经阻止了最潜在的黑客。
More locks
By generating webcomponent.js server-side to use the /domain/ part,
that long URI can be the (unique) handshake between Server and Client
More complex locks
Since all state is in the URI, it is easy to apply an address shifting mechanism,
every request can be a different URI (makes PostMan unusable and a real pain to debug also :-)
[and we applied some other trickery I won t explain here]
It won t keep hackers out, but will delay them long enough for the majority to give up.
And a mousetrap
In our code/URI encoding we also included a reference to a unique "mousetrap" URI.
If we detect 404 activity in that subdir, we know someone is actively picking a lock.
And.. we can interactively lead/direct them to more mousetraps.
迄今为止,我们只有一次尝试。
One telephone call (because we know the buyers Domain) was enough to make them stop.
Hello IT manager of [very-big-well-known] IT company X,
if we detect hacking attempts from your company IP address nn.nn.nn.nn,
by law we would have to report this to the authorities
HTH
