混合应用程序显然是新的,因此很难找到关于此的良好信息.我知道我需要在我的服务器端页面上允许跨源共享资源,但这显然增加了安全漏洞.在phonegap / cordova应用程序上,我仅具有客户端控制,并且具有对我的服务器端页面的ajax调用.这意味着任何人都可以访问我的php页面.这意味着任何人都可以通过访问我的所有数据(例如帐户信息等)来模仿我的应用程序.我的问题是如何确认只有我的应用程序正在访问这些页面？请提供具体的编码示例.

解决方法:

我在此博客文章：Client authenticity is not the server’s problem中回答了您的问题,以及许多其他人喜欢的问题.

One of the most basic rules of application security is input validation. The reason this rule is so fundamental is because your server only has control (and visibility) over the software running on itself. Every other device on the Internet is a black box that you can communicate with over networking protocols. You can’t see what it’s doing, you only see the messages that it sends.

…

The server should remain agnostic to the client.

The software on the client and the software on the server should have a mutual distrust towards each other. Any messages that the server receives should be validated for correctness and handled with care. Data should never be mixed with code if you can help it.

…

The take-away is: Instead of trying to control your users, focus on making their misbehavior inconsequential to the stability and integrity of your server.