为了增加安全性,我们的服务器会跟踪浏览器指纹。目前,我们使用以下标题:
HTTP_CLIENT_IP、HTTP_X_FORWARDED_FOR、HTTP_X_FORWARDED、HTTP_X_CLUSTER_CLIENT_IP、HTTP_FORWARDED_FOR、HTTP_FORWARDED、REMOTE_ADDR(以第一个非空为客户端IP)HTTP_ACCEPT_*标头HTTP_USER_AGENT
是否还有其他(可选)标头可以使用?
一般来说,计算客户端指纹的最佳"算法"是什么?
您可以使用唯一的浏览器指纹(用户代理、web浏览器、画布等),然后获取哈希。
/* Generate a fingerprint string for the browser */
function generateFingerprint(){
//Generate a string based on "stable" information taken from the browser
//We call here "stable information", information that normally don't change during the user
//browse the application just after authentication
var fingerprint = [];
//Take plugins
for(var i = 0; i < navigator.plugins.length; i++){
fingerprint.push(navigator.plugins[i].name);
fingerprint.push(navigator.plugins[i].filename);
fingerprint.push(navigator.plugins[i].description);
fingerprint.push(navigator.plugins[i].version);
}
//Take User Agent
fingerprint.push(navigator.userAgent);
//Take Screen resolution
fingerprint.push(screen.availHeight);
fingerprint.push(screen.availWidth);
fingerprint.push(screen.colorDepth);
fingerprint.push(screen.height);
fingerprint.push(screen.pixelDepth);
fingerprint.push(screen.width);
//Take Graphical card info
//See http://output.jsbin.com/ovekor/3/
try {
//Add a Canvas element if the body do not contains one
if ( $("#glcanvas").length == 0 ){
$(document.body).append("<canvas id='glcanvas'></canvas>");
}
//Get ref on Canvas
var canvas = document.getElementById("glcanvas");
//Retrieve Canvas properties
gl = canvas.getContext("experimental-webgl");
gl.viewportWidth = canvas.width;
gl.viewportHeight = canvas.height;
fingerprint.push(gl.getParameter(gl.VERSION));
fingerprint.push(gl.getParameter(gl.SHADING_LANGUAGE_VERSION));
fingerprint.push(gl.getParameter(gl.VENDOR));
fingerprint.push(gl.getParameter(gl.RENDERER));
fingerprint.push(gl.getSupportedExtensions().join());
} catch (e) {
//Get also error because it's will be stable too..
fingerprint.push(e);
}
//Last and, in order to made this browser unique, generate a random ID that we will store
//in local storage (in order to be persistent after browser close/reopen)
//Add this ID because, in Enterprise, most of the time browser have the same configuration
var browserUniqueID = localStorage.getItem("browserUniqueID");
if (browserUniqueID === null) {
localStorage.setItem("browserUniqueID", CryptoJS.lib.WordArray.random(80));
browserUniqueID = localStorage.getItem("browserUniqueID");
}
fingerprint.push(browserUniqueID);
return fingerprint.join();
}
最后得到散列并发送到服务器。
//Call the fingerprint dedicated function
var fingerprint = generateFingerprint();
//Use CryptoJS library ot generate a hex encoded string of the hash of the fingerprint
var fingerprintHash = CryptoJS.SHA256(fingerprint);
来源:https://www.owasp.org/index.php/JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java#令牌_劫持https://browserleaks.com/canvas
回答标题的命名问题:
我用了X-Fingerprint,但没有找到任何标准的方法。你可以让它更";模糊的";所以人们不会认为这是一个可以篡改的领域。
最后,我看到像X-...这样的标题应该是免费的(冲突的机会更少),但最近几年越来越多的工具使用它们,这种命名似乎变成了";标准";或一个";公约";(例如类似于x-request-id)。