Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
@11000100111000 I got one web app. But isn't csrf token useless if anyone can get one via get?
-
stop68026yApis have usually an token for an session for this so an app only needs to use this token to get access without transfering passwords.
-
@11000100111000 I know that, that's why I have csrf token. And why should I let anyone create one?
-
@11000100111000 ok I'll try, seems to be working..
Just wondering how long such token is valid 🤔 -
@11000100111000 I am using my own session system because I migrated from PHP to Node and didn't want to rewrite my whole backend with SQL and so on
Or what sessions do you mean? -
@SteffTek No, please not bind it to the connection. I may have a tab open for 30 Minutes and still want to write my comments...
-
@SteffTek May be you want double-submit tokens? Send the tokens in a cookie AND send them via form (or JavaScript or whatever). This way you don't need to store "valid" tokens somewhere.
-
@sbiewald I stuck with disabling csrf on my API calls completely. Works fine and is promoted by CSurf Middleware GitHub
-
@11000100111000 No it doesn't, as long they are sent via form, too. An attacker cannot modify session cookies of a user for a third party side.
-
@11000100111000 but it's recommended by the csrf Middleware to make APIs without that token, so other applications can access them
-
@11000100111000 And the token still has to be sent in the request body, too (and an attacker cannot make it magically match the cookie). Please see: https://github.com/OWASP/...
There are drawbacks, e.g. when subdomains are attacker controlled.
Related Rants
Currently working on my own Express App with CSurf for csrf validation.
Works great but one problem...
HOW THE FUCK SHOULD A POST REQUEST COMING FROM JAVA GET THE FUCKING TOKEN.
Should I made my RESTApi without csrf protection?
I am crying right now...
rant
expressjs
fuck this shit
node.js