React SignalR - 不要在 URL 中发送不记名令牌
React SignalR - Do not send bearer token in URL
我正在编写的应用程序刚刚通过以下渗透测试失败:
正在发送授权令牌 URL:
https://domain/Hub?access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuTSIsImtpZCI6Imh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuTSJ9.....
发送到使用 Azure AD 授权的集线器时会自动发生这种情况。
constructor (hub: string) {
this.hubName = hub;
this.hub = new HubConnectionBuilder()
.configureLogging(LogLevel.Critical)
.withUrl(`${this.hubURL}${hub}` , {
skipNegotiation: true,
transport: HttpTransportType.WebSockets,
accessTokenFactory: () => {
return `${getToken()}`
}
})
.build();
}
我已经搜索了文档,但我想知道是否有一种方法可以连接和发送请求,而无需在 URL?
中公开不记名令牌
When using WebSockets or Server-Sent Events, the browser client sends
the access token in the query string. Receiving the access token via
query string is generally secure as using the standard Authorization
header. Always use HTTPS to ensure a secure end-to-end connection
between the client and the server. Many web servers log the URL for
each request, including the query string. Logging the URLs may log the
access token. ASP.NET Core logs the URL for each request by default,
which will include the query string. For example:
In standard web APIs, bearer tokens are sent in an HTTP header.
However, SignalR is unable to set these headers in browsers when using
some transports. When using WebSockets and Server-Sent Events, the
token is transmitted as a query string parameter.
在我看来,您可以禁用 WebSocket 和服务器发送事件。有关如何删除 WebSocket 或服务器发送事件的信息,请参阅 。但随后您会退回到长轮询或永久帧,而您可能不希望这样。
因为你的问题中的 URL 是 https,如果你禁用了请求日志记录,我就不会那么在意了。
更改 Microsoft.AspNetCore.Hosting 的日志级别可以在您的 appsettings.json
中完成
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore.Hosting": "Warning"
}
}
}
我正在编写的应用程序刚刚通过以下渗透测试失败:
正在发送授权令牌 URL:
https://domain/Hub?access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuTSIsImtpZCI6Imh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuTSJ9.....
发送到使用 Azure AD 授权的集线器时会自动发生这种情况。
constructor (hub: string) {
this.hubName = hub;
this.hub = new HubConnectionBuilder()
.configureLogging(LogLevel.Critical)
.withUrl(`${this.hubURL}${hub}` , {
skipNegotiation: true,
transport: HttpTransportType.WebSockets,
accessTokenFactory: () => {
return `${getToken()}`
}
})
.build();
}
我已经搜索了文档,但我想知道是否有一种方法可以连接和发送请求,而无需在 URL?
中公开不记名令牌When using WebSockets or Server-Sent Events, the browser client sends the access token in the query string. Receiving the access token via query string is generally secure as using the standard Authorization header. Always use HTTPS to ensure a secure end-to-end connection between the client and the server. Many web servers log the URL for each request, including the query string. Logging the URLs may log the access token. ASP.NET Core logs the URL for each request by default, which will include the query string. For example:
In standard web APIs, bearer tokens are sent in an HTTP header. However, SignalR is unable to set these headers in browsers when using some transports. When using WebSockets and Server-Sent Events, the token is transmitted as a query string parameter.
在我看来,您可以禁用 WebSocket 和服务器发送事件。有关如何删除 WebSocket 或服务器发送事件的信息,请参阅
因为你的问题中的 URL 是 https,如果你禁用了请求日志记录,我就不会那么在意了。
更改 Microsoft.AspNetCore.Hosting 的日志级别可以在您的 appsettings.json
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore.Hosting": "Warning"
}
}
}