I have REST API written on PHP with authentication based on JWT. Workflow is simple: user sends username and password and gets JWT token back, with what they will be authenticated on all REST requests. Everything is pretty logic and cool, but now i have a problem with storing token client side, after some googling i found what only HTTP Only, Secure cookies are good for this, but they are vulnerable for CSRF attacks, so i am planning to user CSRF token to solve this problem. And here comes the question, how REST can validate CSRF token, if token issued by client? How REST backend understand what this random string is valid for this request and another random string is not? REST is stateless, he doesn't know what kind of token client have issued because REST and client are on separate backends, even on separate servers.
0条回答 默认 最新
- 2019-01-14 16:19回答 2 已采纳 The CSRF token is random and unique per session. Hence, an attacker can get the value of this toke
- 2014-05-22 23:51回答 2 已采纳 This is just a wild guess, but could it be the combination of the Base64 encoding and submitting t
- 2018-10-07 10:29回答 1 已采纳 It worked! As mentioned by @gp, I had to copy all cookies instead of just setting header. I did be
- 2023-09-15 09:54zzhongcy的博客 虽然在许多情况下这在技术上可能是正确的,但通常很难预测访问 API 的所有方式(以及将来可能修改的方式),因此为 REST API 提供 CSRF 保护可能会被视为额外的安全层。使用上述基本的反 CSRF 令牌,您可以在登录时...
- 2019-04-12 12:17回答 2 已采纳 After looking through the GoBuffalo docs, and in particular THIS part of the forms page, All i had
- 2018-04-02 12:24回答 1 已采纳 You can use frontend and backend as different cookie and session Cookie Backend 'identityCookie'
- 2018-11-12 22:51回答 1 已采纳 One option is to only use the CSRF protection on specific HTTP handlers, rather than protecting th
- 2020-09-30 04:57weixin_26741563的博客 dr — If your SPA uses a private REST API, use CORS and a CSRF Token header. If your SPA uses a public REST API, use a SameSite Strict cookie for mutating operations (if you only support...
- 2017-03-10 15:46回答 1 已采纳 You should change this <button type="submit" name="form_name">Create</button> With
- 2016-11-29 13:26回答 3 已采纳 You should add a field named - _token, instead of csrfToken like this: data.append( "_token", Lar
- 2017-08-14 06:08回答 2 已采纳 Just add this to your script <script type="text/javascript"> $.ajaxSetup({
- 2022-12-07 23:15西京刀客的博客 浏览器在发送请求的时候,会自动带上当前域名对应的cookie内容,发送给服务端,不管这个请求是来源A网站还是其它网站,只要请求的是A网站的链接,就会带上A网站的cookie。 浏览器的同源策略并不能阻止CSRF攻击。 ...
- 2014-12-08 07:50回答 1 已采纳 My hosting provider confirmed that it was an security rule on the server causing the issue and hel
- 2019-10-23 20:17孤独的侠客的博客 在前后端不分离的应用模式中,前端页面看到的效果都是由后端控制,由后端渲染页面或重定向,也就是后端需要控制前端的展示,前端与后端的耦合度很高。 应用场景分析 这种应用模式比较适合纯网页应用,但是当后端对接...
- 2023-03-13 16:45亚林瓜子的博客 REST版本的csrf防护,就是在原有的登录接口基础上面,新增一个实时随机请求头来,实现CSRF防护。
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 扩散模型sd.webui使用时报错“Nonetype”
- ¥15 stm32流水灯+呼吸灯+外部中断按键
- ¥15 将二维数组,按照假设的规定,如0/1/0 == "4",把对应列位置写成一个字符并打印输出该字符
- ¥15 NX MCD仿真与博途通讯不了啥情况
- ¥15 win11家庭中文版安装docker遇到Hyper-V启用失败解决办法整理
- ¥15 gradio的web端页面格式不对的问题
- ¥15 求大家看看Nonce如何配置
- ¥15 Matlab怎么求解含参的二重积分?
- ¥15 苹果手机突然连不上wifi了?
- ¥15 cgictest.cgi文件无法访问