How to safeguard credentials when doing authenication for a javascript/jQuery API client?

0 投票
最新提问 用户: (140 分)

I need to call a web service from my client side JavaScript code (which will run as a web page is loading). I understand there are libraries for doing this like this one, or I can just use straightup jQuery as described here.

But one concern I had was authentication. I need to send the webservice a username/password or a authorization header as described here. Now if this will not come from the user, it seems that it needs to be stored somewhere on the browser side code in order for it to be sent when that code runs (client side).

Won't this then be in the clear for all to see just by doing a view source on my page? If so, how can I prevent this?

1个回答

0 投票
最新回答 用户: (1.7k 分)

Well you can encode the user name and password so if someone sees the view source of the web page it will show the encoded credentials.

To encode/decode the credentials you can use the atob and btoa Javascript functions. They are present in the JavaScript implementation of most browsers. See this link: https://developer.mozilla.org/en/docs/Web/API/WindowBase64/Base64_encoding_and_decoding

When sending the credentials to the server you can decode the data before sending the credentials.

To ensure that the credentials are not read during transmission, they should not be sent in plain text. HTTPS can be used to secure the web service requests.

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...