Can only be called within the app, not on the web.
I seem to have heard that there is such a thing. I am using the spring mvc framework and don't know how to implement such a function. .
phpcn_u15822017-05-17 10:02:48
It can only be said to be partially prohibited.
Set a special User Agent before calling it in the app, such as "My own app". When the program starts, check the User Agent sent by the browser. If it is not "My own app", an error will be reported directly.
But if you meet an expert, they can forge User Agent at will. As long as they intercept the communication between your App and your server, they can know what kind of User Agent you use, and then forge a follower in the browser. Just the exact same string you requested will do.
某草草2017-05-17 10:02:48
Get the current time and then add salt and encrypt it, send it to the server for parsing through url or ua, compare the parsed time with the server time, and throw away any time that exceeds 1 minute. In this way, even if someone else forges ua, they can only use it for 1 minute and then forge a new ua.
我想大声告诉你2017-05-17 10:02:48
If you use the http interface, you might as well add a layer of authentication logic;
Or use a non-http interface, so that the web side cannot call it
伊谢尔伦2017-05-17 10:02:48
The ultimate solution is that @markov said to enable two-way authentication of https on the server side.
To be simpler, you can also use the app to generate a verification code and pass it to the server as an http header. The server will get the verification code, decrypt it and verify it.