Backbone.js Security

2019-06-19 01:52发布

问题:

i am learning Backbone.js at the moment, so sorry if my question is nooby :-P

in my program i check my data at server-side to be correct and etc ... but i was wondering what will happen if users change the data stored in models using Console in FireBug for example and try .save() or .fetch().

is there any way to stop such actions ?

considering all my data is going to be stored in models and can be easily retrieved by users i am not really comfortable using backbone.js, is it just me or is there something wrong here ?!

回答1:

A simple and safety way is to include the user credentials (username and password) into your model and check it on the server side to each AJAX calls.

To avoid so much bdd requets, you can also generate an associated array of id => serial key to each logged user on the server side and return it by fetch() during the auth proccess, then, check if the id and the serial key you generated match to each AJAX calls.



回答2:

but i was wondering what will happen if users change the data stored in models using Console in FireBug for example and try .save() or .fetch().

Then the edited data would be submitted to the server

is there any way to stop such actions ?

No, you just have to deal with them in the same way that you deal with any request: Perform authentication/authorization to make sure that the user making the request is allowed to do so.

considering all my data is going to be stored in models and can be easily retrieved by users i am not really comfortable using backbone.js

Then don't use it.

But don't be paranoid about keeping data secret if it is stuff you would display to the user if you weren't using a client side framework like backbond.



回答3:

considering all my data is going to be stored in models and can be easily retrieved by users i am not really comfortable using backbone.js, is it just me or is there something wrong here ?!

You aren't doing anything wrong, but not using Backbone won't make your site any more secure. Even if you are not using Backbone, I can fire up the console while on your site and make any ajax request I want to your server. If I wanted to take it further, I could build an application that makes any request I want.

No real security can be implemented client-side. That is the server's responsibility regardless of whether or not you are using something like Backbone.