It seems like there’s a big wave of front and back separation. It used to be only APP clients were thinking about this, now even the Web is thinking about front and back separation. This has to talk about the API design and security, these problems are not solved, will bring a great threat to server security and performance. Below I am also according to some of their own experience and experience to say some of their own experience.
In the design of THE API, two aspects are mainly considered: the security of the interface is mainly designed around token, TIMESTAMP and sign to ensure that the data of the interface will not be tampered with or repeatedly called. The following are the details:
Token authorization mechanism: After a user logs in using the user name and password, the server returns a Token (usually a UUID) to the client and stores the token-userID in key-value pairs in the cache server. After receiving the request, the server authenticates the Token. If the Token does not exist, the request is invalid. The Token is the certificate for the client to access the server.
Timestamp timeout mechanism: Each request carries the timestamp of the current time. The server compares the received timestamp with the current time. If the time difference is greater than a certain time (for example, 5 minutes), the request is considered invalid. Timestamp timeout mechanism is an effective means to defend against DOS attack.
Signature mechanism: The encrypted data is the signature of the request. After receiving the request, the server uses the same algorithm to obtain the signature and compares it with the current signature. If the request is different, it indicates that the parameters have been changed. Return the error identifier directly. The signature mechanism ensures that data cannot be tampered with.
There is a video tutorial at the end of this article. —- HTTP interface – Separated MVVMS at the front and back ends
Data encryption
Is it safe enough? What else is there to do? Encryption solves the data uplink security, but hackers, directly seize the ciphertext to submit, how to do?
Interface signature
Is it safe enough? What else is there to do? Interface signatures rely only on the combination of parameter sequences, which is not secure enough
Identity authentication —–token Token Token authorization mechanism: After a user logs in using the username and password, the server returns a token to the client and caches the token in the server. The server verifies the Token after receiving the request. If the Token does not exist, the request is invalid
Authentication encapsulation —– Cookies implicitly carry tokens
To sum up, security is an eternal topic. With the promotion of HTTPS on all major websites, security has been paid more and more attention. Signature design you have to have it, HTTPS I hope you have it. This article focuses on API interface security. For more detailed mind mapping and video tutorials, watch this video to learn! icon