如果你正确地构建您的哈希，点击该网址将有来自请求该复位的IP地址。这就要求中间人欺骗的IP和/或伪造头。虽然这是可能的，更独特的可识别的散列到系统中的问题，越难以变得最终围绕散列

If you construct your hash correctly, the url click will have to come from the IP address that requested the reset. This would require the MITM to spoof the IP and/or falsify headers. While this is possible, the more unique you can identify the hash to the system in question, the more difficult it becomes to "end-around" the hash.

此外，还建议该GUID是特定条件的单向散列。另外，也可以使用公开密钥，一个私有密钥解锁以便被点击链接时，这个同样的公共加密系统数据必须伴随散列在请求加密系统数据，和可以解密这些值是唯一的系统将是在服务器持有的私钥。基本上是一个伪PKI附件哈希。

It is also recommended that the guid be a one-way hash of certain criteria. It is also possible to encrypt system data in the request using a public key that a private key unlocks so that when the url is clicked, this same public encrypted system data must accompany the hash, and the only system that could unencrypt these values would be the private key held at the server. Basically a psuedo-PKI attachment to the hash.