保护“后端”角度源文件

huangapple go评论94阅读模式
英文:

Protecting "back-end" angular source files

问题

我有一个Angular系统,它只与我的Go后端进行通信,并且使用Gorilla来处理登录的会话。

我开始在我的管理环境上工作,但我想知道如何最好地保护Angular代码。这并不是一个安全问题,因为即使管理员代码只包含逻辑,而不包含危险数据,我仍然希望不让世界上的任何人都能访问它。

我考虑采取以下措施:

我有一个mux路由器,用于捕获所有资源调用(使用Yeoman进行部署),我想知道是否可以在那里设置3个例外,即images/adminscripts/adminstyles/admin。只有在有效的会话活动下,才能访问这些路径。否则,返回401状态码。

这样做是否是一个好的解决方案,还是有更高效的方法可以实现这一目标?

英文:

I have a Angular system that solely talks with my Go back-end and with Gorilla I take care of my sessions for login.

I started working on my admin environment, but I wondered what would be best practice for protecting the angular code for it. It's not really a problem for security because even the admin code will just have logic, and not dangerous data, still I prefer to not have it open to just anyone in the world.

I was thinking of doing the following;

I have a mux router that catches all my resource calls (deployment with Yeoman) and I was wondering that I would make 3 exceptions there for images/admin, scripts/admin and styles/admin. These paths can then only be served if you have a valid session active. Otherwise throwing a 401 header.

Would this be a good solution or is there a more efficient way to achieve this?

答案1

得分: 3

如果您需要获取一些静态资源(例如JS代码、样式表、图像等),您需要通过应用程序进行验证(最好是经过授权)。您使用的堆栈完全不相关。

我会将资源指向由您的应用程序控制的内容,然后返回一个401错误或带有X-SendfileX-Accel-Redirect头的空响应,以便实际的服务由您所使用的反向代理来处理。

英文:

If you need a valid (and preferably authorized) session to get some static assets (being them JS code, stylesheets, images...), you need to pass through the application, the stack you use is not relevant at all.

What I'd do is to point the resource to something controlled by your application, and then return either a 401 or an empty response with a X-Sendfile or X-Accel-Redirect header so the actual serving is offloaded to whatever reverse proxy you have in place.

huangapple
  • 本文由 发表于 2015年9月18日 22:16:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/32654253.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定