For non-PHP based web-clients (JSON) making use of Laravel Controllers; What would be the potential alternatives to CSRF tokens in Laravel to secure web requests?
2条回答 默认 最新
- dounang1974 2016-10-28 09:40关注
If your API uses an authentication scheme that does not depend on the authentication token being sent automatically by the browser (which practically means the token or session id is not in a cookie), your API is not vulnerable to CSRF. This includes token-based auths, unless the token is stored in a cookie.
If cookies are used to pass auth tokens (including session ids, which is the same in this respect), you need CSRF protection for all requests that change server state (mostly data, but also logon status or privilege level for example).
For Laravel, you need to pass the token value from the
XSRF-TOKEN
cookie as a request header value inX-CSRF-TOKEN
. With jQuery, this is easily accomplished in any client framework by reading the cookie value and adding it to requests:$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': csrfCookieValue } });
If your client is not browser based, you can implement a different protection than the one in Laravel already. OWASP has a cheat sheet on what your options are, probably double submit is the easiest to implement while being reasonably secure. In very short, you create a random token and send that to the server as a cookie and also as a request header, the server only compares whether the two (cookie and header) match. This works, because an attacker on a differnet origin (domain) cannot set or access a cookie for the application origin due to the same origin policy in browsers.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏 举报
悬赏问题
- ¥15 cplex运行后参数报错是为什么
- ¥15 之前不小心删了pycharm的文件,后面重新安装之后软件打不开了
- ¥15 vue3获取动态宽度,刷新后动态宽度值为0
- ¥15 升腾威讯云桌面V2.0.0摄像头问题
- ¥15 关于Python的会计设计
- ¥15 聚类分析 设计k-均值算法分类器,对一组二维模式向量进行分类。
- ¥15 stm32c8t6工程,使用hal库
- ¥15 找能接spark如图片的,可议价
- ¥15 关于#单片机#的问题,请各位专家解答!
- ¥15 博通raid 的写入速度很高也很低