我的网站有一个JavaScript方法,使一个AJAX请求添加项目到购物车无需重新加载页面,使一个简单的通知。
My site has a Javascript method that makes an AJAX request to add an item to cart without reloading the page and making a simple notification.
AddToCart()
然而,使用任何JavaScript控制台,我发现你可以淹没这个请求用一个简单的语句:
However, using any Javascript console, I found you can flood this request with a simple statement:
while (true) {AddToCart()}
和最终锁定服务器,直到浏览器崩溃。一个更稳定的浏览环境很可能甚至锁定服务器下去。那么,这将是防止这种尝试的最好方法是什么?
And eventually lock the server until the browser crashes. A more stable browsing environment could probably even lock the server indefinitely. So what would be the best way to protect against such an attempt?
推荐答案
也许你应该只定义功能的私人空间?
Perhaps you should just define the function in a private namespace?
(function() {
function AddtoCart(){};
})();
这样,你可以不通过控制台引用它。
That way you can't reference it through the console.
这当然是不防弹作为任何人都可以只复制code或发出HTTP请求的URI。
This of course is not bulletproof as anyone could just replicate the code or make HTTP requests to the URI.
您不能停止HTTP请求,但你可以通过实现CSRF令牌可能停止页面处理数据,这样就不会做繁重的处理,除非CSRF令牌相匹配,这是从您的网页,其中造成的CSRF产生基于像时间戳和这样的变量,所以它不能(容易吗?)再现。
You can't stop the HTTP requests but you can stop the page processing data possibly by implementing CSRF tokens so that it won't do the heavy processing unless the CSRF token matches, which is generated from your page which creates the CSRF based on variables like timestamp and such, so it can't be (easily?) reproduced.
相关推荐
最新文章