admin管理员组

文章数量:1431406

I am implementing a web application posed by a Javascript front end (single page application if you prefer), and a Rails backend.

The front end app make request through API to the server, I want to know what is the best practice for sending the password on the login or the password reset.

Should I send the clear password, or should I send the hash?

I think that both of two solutions have their drawbacks:

if I hash the password with JS, the user will have the code in his browser and can understand how I secure the password.

If I keep it clear, beh, it is just clear and so it can be intercepted.

I am implementing a web application posed by a Javascript front end (single page application if you prefer), and a Rails backend.

The front end app make request through API to the server, I want to know what is the best practice for sending the password on the login or the password reset.

Should I send the clear password, or should I send the hash?

I think that both of two solutions have their drawbacks:

if I hash the password with JS, the user will have the code in his browser and can understand how I secure the password.

If I keep it clear, beh, it is just clear and so it can be intercepted.

  • javascript
  • ruby-on-rails
  • rest
  • authentication
Share Improve this question asked Jun 10, 2015 at 16:25 ciaobenciaoben 3,3884 gold badges31 silver badges47 bronze badges 2
  • 3 Use https for secure transmission :-) – Shawn Commented Jun 10, 2015 at 16:28
  • 4 Just send it over HTTPS. Some would also remend using POST instead of GET because server logging is less likely to capture the password than if using GET (often times URLS are logged). – jfriend00 Commented Jun 10, 2015 at 16:39
Add a ment  | 

1 Answer 1

Reset to default 4

As long as you're using HTTPS then their password cannot be intercepted. Well.... it probably won't be intercepted. But the tactics that they would have to use in order to capture that password are somewhat out of your control. The user will have to be sure that they are actually connected to your site.

I suggest reading this answer as well.

He goes over what it would take in order to intercept HTTPS munication. Your responsibility would be to make sure that your site only serves over HTTPS and that you have a pletely valid certificate.

本文标签: javascriptWhat is the best practice for sending password from frontend to API serverStack Overflow

版权声明:本文标题:javascript - What is the best practice for sending password from frontend to API server? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745467993a2659617.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。