从ajax / javascript滥用中保护php代码
I am designing a website, and I really want it to be as secure as possible. I have a private folder that cannot be accessed (.htaccess) which contains all my php classes (and similar structures), and a public folder that has my Javascript, CSS and a PHP file for the Javascript(via AJAX) to interface with, which in turn accesses the classes in the private folder.
Now here is my issue, and for the life of me I just cannot seem to get my head around this one:
If someone was to look at the js code they would see the commands / data being sent to the publicly available PHP Script (as described above), therefore getting an idea of what commands to use interface with that script and potentially gain access to stored data etc.
now I know that ajax wont work remotely etc but as long as you got the commands from the ajax script you could interface directly with it, so i thought i would do a referrer check on the interface script and that worked perfectly until I realized how easy it was to spoof your referrer header!
does anyone have any ideas on how to secure this. if this just sounds like complete garbage tell me and I'll try and break it down further.
我正在设计一个网站,我真的希望它尽可能安全。 我有一个私人文件夹 无法访问(.htaccess),其中包含我所有的PHP类(和类似的结构),以及一个公共文件夹,其中包含我的Javascript,CSS和用于Javascript(通过AJAX)接口的PHP文件,后者又访问 私人文件夹中的类。 p>
现在这是我的问题,对于我的生活,我似乎无法理解这一个: p> 如果有人要查看js代码,他们会看到命令/数据被发送到公共可用的PHP脚本(如上所述),因此了解使用哪些命令与该脚本接口并可能获得访问权限 存储的数据等。 p>
现在我知道ajax不会远程工作等等但是只要你从ajax脚本获得命令就可以直接与它接口,所以我想我会做一个 引用者检查int erface脚本和完美的工作,直到我意识到欺骗你的引用者标题是多么容易! p>
有没有人对如何保护这一点有任何想法。 如果这听起来像完全垃圾告诉我,我会尝试进一步分解它。 p> div>
AJAX and JS are client-based - everything they do, any user can do. If you expose an API method to AJAX, you expose it to the user - there's nothing you can do about that. That's your design choice. You could of course obfuscate your API calls, but that doesn't really do anything other than make it less user-friendly.
The bottom line: don't trust any user input, regardless of whether it came from your AJAX code or somewhere else.
don't be paranoid, just filter input params, maybe you should switch on SSL so you ajax requests content will be hard to sniff, etc.
Are you using the ajax-thing only for security-reasons or for any other reason? Because you can build up an architecture like this (a PHP-file as "gateway" and all other PHP-files in access-restricted folder) without using ajax as well. If you want to check out, you could take a look at the default folder structure of Zend Framework. This structure has the advantage that there is no logic visible for your users at all.
Also important is that IE (at least IE 6 & 7 I think) does not send a referrer at all by default so this probably wouldn't work anyway.
Well, someone scripting your site directly would only be able to access the same stuff he already can in UI, right?
If you have an script function doAdminStuff(), you would check server side if the user is logged in AND is an admin, before taking any actions
Relax, dude.
This is SPARTA! WEB.
Every site in the world is "exposed" like this. That's the way the web works, Ajax or non-ajax based.
You can't help it, yet there is no harm in this. There is nothing to secure.
Here are my recommendations:
Use SSL if you are not already.
Use a (software) token for all requests that you want to protect.
To discourage others from reading your javascript files, you can obfuscate them. Dean Edward's packer is a famous one.
Write a script that sniffs logs and data for potentially bad activity. If you are not logging all the activity you need to (like if the apache logs are not enough) consider writing activity to your own log.