当前端和API都在同一Go服务器上时，如何从CSRF保护REST API？

I am working on a web site created in Go.

It is possible to access it both via web (server side pages generated via golang templates) and a REST API (for external users who whant to integrate their own software). The Go server handles both types of requests, with a subrouter that handles the API when calls are sent to the subpath "my-url-root/api".

The web pages use secure cookies
The API is stateless: no cookies (each API method must receive in the header an authentication token obtained via a dedicated login method)

I successfully applied gorilla/csrf to protect the web pages from csrf attacks, but that modification (essential before I go live) is now creating an issue with the API.

My question When the CSRF is implemented, all GET requests sent to the api URLs work as expected, but any other request sent (e.g. a POST to a method to add something via my REST api) generates an html response that typically states "forbidden - invalid csrf token".

Is there a straightforward way that I am missing? I searched for answers but none applicable to the case where the api is served by the same server and most of all it is stateless. Should I see if I can "disable" the gorilla csrf protection for the subrouter (though I do not even know if that is possible and if that is even safe...)?

Thanks for your help.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dsrbb20862 2018-10-24 20:04
关注
Ok, so I tried to apply the suggestions above and I came up with a solution to my problem.

I tested that it works by checking web and api calls against my urls and sub-urls with and without the csrf protection.

Just a clarification to my previous comment. To be more precise the order I created the Submuxes did not matter but of course I had then followed a proper order when I wrote down the lines to Handle each path.

So, the order IS important.

This is what I did (just bits of code).

I used goji as a router and gorilla/csrf for the csrf protection.

NOTE: I did not include all my code but just the most important parts to describe what I did.

1) I created a mux using

mux := goji.NewMux()

2) since my APIs are served under the url "/api" and related sub urls, I created a Submux for the api

apiMux := goji.SubMux()

3) I assigned the pages that match the path "/api" and "/api*" to this subMux

Note that I did NOT include any csrf protection

mux.Handle(pat.New("/api/*"), apiMux) mux.Handle(pat.New("/api"), apiMux)

4) I created a Submux for web pages of my site

webMux := goji.SubMux()

5) I assigned the pages that match the path "/" and "/*" to this subMux

Note that here in my code I linked the middleware for the csrf protection

mux.Handle(pat.New("/"), csrf.Protect(csrfKey, csrf.Secure(true))(webMux)) mux.Handle(pat.New("/*"), csrf.Protect(csrfKey, csrf.Secure(true))(webMux))

6) For my benefit, I created other SubMuxes to handle other paths, like "/users", "/users/1", "/users/addform". This step is important: I assigned this "userMux" to the webMux, and not to the main mux created at step 1.

In this way, the csrf protection is inherited. Example:

usersMux := goji.SubMux() webMux.Handle(pat.New("/users/*"), usersMux) webMux.Handle(pat.New("/users"), usersMux)

IN few words, this was the solution to my problem:

I) I assigned this "apiMux" to the main mux created at step 1.

I did not assigned it to any other mux. I did NOT assigned it to the webMux that handles the root url "/" and "/*"

II) The order is important, so I implemented the code for the API urls and then the code for the web urls

I hope it helps. And most of all I hope the explanation was clear... (if not just let me know). Thanks for pointing me in the right direction
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

在JSON API调用上禁用CSRF
2018-11-12 22:51

回答 1 已采纳 One option is to only use the CSRF protection on specific HTTP handlers, rather than protecting th
SPA，使用oauth2 api的网站 - 我需要csrf保护吗？ javascript php
2017-07-29 14:31

回答 1 已采纳 If I understand your setup, it is as follows: User POSTs credentials (eg: login form) Server ret
如何使用FOSRestBundle和FOSOauthServerBundle保护REST API中的用户资源？ php symfony
2014-05-29 10:22

回答 2 已采纳 I've found the solution. It's easy, just I've added the following code in my rest controller and t
关于Go语言的底层，你想知道的都在这里！
2023-03-09 12:13

夏沫の梦的博客 Go语言提供了一种机制在运行时更新和检查变量的值、调用变量的方法和变量支持的内在操作，但是在编译时并不知道这些变量的具体类型，这种机制被称为反射。反射也可以让我们将类型本身作为第一类的值类型处理。反射是...
CSRF令牌保护意义何在？ csrf php
2019-01-14 16:19

回答 2 已采纳 The CSRF token is random and unique per session. Hence, an attacker can get the value of this toke
CORS - API身份验证：会话（CSRF安全） - 解决方案？ php
2016-03-17 09:40

回答 1 已采纳 By default, credentials (such as cookies) are not sent on cross-origin requests because they trigg
从Golang Buffalo网络应用发送推文时，无法设置CSRF令牌 csrf
2019-04-12 12:17

回答 2 已采纳 After looking through the GoBuffalo docs, and in particular THIS part of the forms page, All i had
Django REST framework API 指南（13）：认证
2018-03-15 14:05

weixin_33717117的博客官方原文链接本系列文章 github 地址转载请注明出处身份验证身份验证是将传入请求与一组识别凭证（例如请求的用户...身份验证始终在视图的开始处运行，在执行权限和限制检查之前，在允许继续执行任何其他代码之...
XSS和CSRF有哪些相同点，xss和csrf如何打组合拳？ javascript web安全有问必答网络安全
2022-10-11 19:24

回答 4 已采纳共同点为：将一些隐私数据像 cookie、session 发送给攻击者，将受害者重定向到一个由攻击者控制的网站，在受害者的机器上进行一些恶意操作。
Angular2和Laravel CSRF保护 ajax angular csrf php
2016-12-19 09:19

回答 1 已采纳 You can create a meta tag with csrf-token by using JavaScript in your html file! How to do this:
切换服务器后，Laravel CsrfToken将在刷新时到期 laravel nginx php
2016-10-08 13:41

回答 2 已采纳 As per comments bellow where I forgot to update, I found out the problem was actually the fact, th
前端基础知识点-每天一个基本知识点（100+个前端小知识，你是否都知道？）
2022-02-21 00:25

文默的博客文章目录前言第一回合一、知识点：cookie（21/09/06）二、知识点：节流和防抖（21/09/07）三、知识点：var和let以及const（21/09/08）四：知识点：深拷贝和浅拷贝（21/09/09）五、知识点：作用域和作用域联（21/09/...
如何在控制器上检查令牌（CSRF）？ csrf laravel php
2015-02-17 08:14

回答 2 已采纳 Assuming you use laravel 4.x: You don't need to check this in your controller. defining the befor
为什么我的JavaScript在所请求的资源上出现“No‘Access-Control-Allow-Origin‘标头”错误，当Postman没有？
2021-02-07 16:42

短期菜鸟的博客为什么我的JavaScript在所请求的资源上出现“No'Access-Control-Allow-Origin'标头”错误，当Postman没有？ [英]Why does my JavaScript get a “No 'Access-Control-Allow-Origin' header is present on the ...
Golang优秀开源项目汇总, 10大流行Go语言开源项目, golang 开源项目全集(golang/go/wiki/Projects), GitHub上优秀的Go开源项目...
2018-05-08 20:08

weixin_33836874的博客）我把这个汇总放在github上了，后面更新也会在github上更新。 https://github.com/hackstoic/golang-open-source-projects 。欢迎fork， star ， watch，提issue。资料参考来源：...
没有解决我的问题, 去提问

悬赏问题

¥15 写一个方法checkPerson，入参实体类Person，出参布尔值
¥15 我想咨询一下路面纹理三维点云数据处理的一些问题，上传的坐标文件里是怎么对无序点进行编号的，以及xy坐标在处理的时候是进行整体模型分片处理的吗
¥15 CSAPPattacklab
¥15 一直显示正在等待HID—ISP
¥15 Python turtle 画图
¥15 关于大棚监测的pcb板设计
¥15 stm32开发clion时遇到的编译问题
¥15 lna设计源简并电感型共源放大器
¥15 如何用Labview在myRIO上做LCD显示？(语言-开发语言)
¥15 Vue3地图和异步函数使用

当前端和API都在同一Go服务器上时，如何从CSRF保护REST API？

1条回答 默认 最新

悬赏问题

1条回答默认最新