doutangkao2789 2013-11-27 06:19
浏览 112
已采纳

这会阻止跨站点请求伪造吗?

I am thinking of a way to stop Cross-site request forgery attack as part of my secure coding class.

I am thinking that if I could block attempt to connect to my website with different address than one that page is located at... But would that work? If not, what would be better approach?

What if I did this as my attempt:

// assuming my page is still on 192.168.195.128
if($_SERVER['REQUEST_METHOD'] == 'POST' && 
    $_SERVER["HTTP_HOST"] != "192.168.195.128")
{
    echo 'Cross-site request forgery attempt!';
}
else
{
    // continue normal execution
}
  • 写回答

1条回答 默认 最新

  • dongzhou1865 2013-11-27 06:23
    关注

    No, that won't do anything to stop CSRF.

    What you need is a token of some kind that is passed to the user to be sent back on a form submission. This token should only be used once, and in a specific place.

    CSRF works by sending a generic request to a different site than the user is currently on, generally taking advantage of the fact that they are already authenticated and what not on the site being attacked. These requests come from the user's browser and look just like normal requests. You can check the referrer, but a simple token passed in a form is generally considered better.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 求数据集和代码#有偿答复
  • ¥15 关于下拉菜单选项关联的问题
  • ¥20 java-OJ-健康体检
  • ¥15 rs485的上拉下拉,不会对a-b<-200mv有影响吗,就是接受时,对判断逻辑0有影响吗
  • ¥15 使用phpstudy在云服务器上搭建个人网站
  • ¥15 应该如何判断含间隙的曲柄摇杆机构,轴与轴承是否发生了碰撞?
  • ¥15 vue3+express部署到nginx
  • ¥20 搭建pt1000三线制高精度测温电路
  • ¥15 使用Jdk8自带的算法,和Jdk11自带的加密结果会一样吗,不一样的话有什么解决方案,Jdk不能升级的情况
  • ¥15 画两个图 python或R