Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Also if you only consume the service via another service (aka no website involved) you don't need csrf protection
-
@11000100111000 I got one web app. But isn't csrf token useless if anyone can get one via get?
-
stop69545yApis have usually an token for an session for this so an app only needs to use this token to get access without transfering passwords.
-
@SteffTek the issue is anyone can create a form on his page which submits a request to your api, for this request cookies are send (in contrast JavaScript requests from different origins can't send cookies unless your api explicitly allows it)
This means any site can make post(or other) requests on your behalf -
@11000100111000 I know that, that's why I have csrf token. And why should I let anyone create one?
-
Because the forms which execute csrf can't read the response of the request they sent and thus can't acquire the token
-
-
@11000100111000 I am using my own session system because I migrated from PHP to Node and didn't want to rewrite my whole backend with SQL and so on
Or what sessions do you mean? -
@SteffTek No, please not bind it to the connection. I may have a tab open for 30 Minutes and still want to write my comments...
-
@SteffTek May be you want double-submit tokens? Send the tokens in a cookie AND send them via form (or JavaScript or whatever). This way you don't need to store "valid" tokens somewhere.
-
@sbiewald I stuck with disabling csrf on my API calls completely. Works fine and is promoted by CSurf Middleware GitHub
-
@11000100111000 No it doesn't, as long they are sent via form, too. An attacker cannot modify session cookies of a user for a third party side.
-
@sbiewald but they can submit a request which sends the cookies and make requests on your behalf
-
@SteffTek maybe you should read a few articles about it, you really shouldn't consider deploying an api without csrf protection
-
@11000100111000 but it's recommended by the csrf Middleware to make APIs without that token, so other applications can access them
-
@11000100111000 And the token still has to be sent in the request body, too (and an attacker cannot make it magically match the cookie). Please see: https://github.com/OWASP/...
There are drawbacks, e.g. when subdomains are attacker controlled. -
@SteffTek do you want other applications to make arbitrary requests on behalf of another user?
-
@sbiewald okay is misunderstood your point, thought you meant submit the token two ways with either way being okay
Related Rants
Currently working on my own Express App with CSurf for csrf validation.
Works great but one problem...
HOW THE FUCK SHOULD A POST REQUEST COMING FROM JAVA GET THE FUCKING TOKEN.
Should I made my RESTApi without csrf protection?
I am crying right now...
rant
expressjs
fuck this shit
node.js