英文:
Protecting "back-end" angular source files
问题
我有一个Angular系统,它只与我的Go后端进行通信,并且使用Gorilla来处理登录的会话。
我开始在我的管理环境上工作,但我想知道如何最好地保护Angular代码。这并不是一个安全问题,因为即使管理员代码只包含逻辑,而不包含危险数据,我仍然希望不让世界上的任何人都能访问它。
我考虑采取以下措施:
我有一个mux路由器,用于捕获所有资源调用(使用Yeoman进行部署),我想知道是否可以在那里设置3个例外,即images/admin、scripts/admin和styles/admin。只有在有效的会话活动下,才能访问这些路径。否则,返回401状态码。
这样做是否是一个好的解决方案,还是有更高效的方法可以实现这一目标?
英文:
I have a Angular system that solely talks with my Go back-end and with Gorilla I take care of my sessions for login.
I started working on my admin environment, but I wondered what would be best practice for protecting the angular code for it. It's not really a problem for security because even the admin code will just have logic, and not dangerous data, still I prefer to not have it open to just anyone in the world.
I was thinking of doing the following;
I have a mux router that catches all my resource calls (deployment with Yeoman) and I was wondering that I would make 3 exceptions there for images/admin, scripts/admin and styles/admin. These paths can then only be served if you have a valid session active. Otherwise throwing a 401 header.
Would this be a good solution or is there a more efficient way to achieve this?
答案1
得分: 3
如果您需要获取一些静态资源(例如JS代码、样式表、图像等),您需要通过应用程序进行验证(最好是经过授权)。您使用的堆栈完全不相关。
我会将资源指向由您的应用程序控制的内容,然后返回一个401错误或带有X-Sendfile或X-Accel-Redirect头的空响应,以便实际的服务由您所使用的反向代理来处理。
英文:
If you need a valid (and preferably authorized) session to get some static assets (being them JS code, stylesheets, images...), you need to pass through the application, the stack you use is not relevant at all.
What I'd do is to point the resource to something controlled by your application, and then return either a 401 or an empty response with a X-Sendfile or X-Accel-Redirect header so the actual serving is offloaded to whatever reverse proxy you have in place.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论