For non-PHP based web-clients (JSON) making use of Laravel Controllers; What would be the potential alternatives to CSRF tokens in Laravel to secure web requests?
2条回答 默认 最新
dounang1974 2016-10-28 09:40关注If your API uses an authentication scheme that does not depend on the authentication token being sent automatically by the browser (which practically means the token or session id is not in a cookie), your API is not vulnerable to CSRF. This includes token-based auths, unless the token is stored in a cookie.
If cookies are used to pass auth tokens (including session ids, which is the same in this respect), you need CSRF protection for all requests that change server state (mostly data, but also logon status or privilege level for example).
For Laravel, you need to pass the token value from the
XSRF-TOKENcookie as a request header value inX-CSRF-TOKEN. With jQuery, this is easily accomplished in any client framework by reading the cookie value and adding it to requests:$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': csrfCookieValue } });If your client is not browser based, you can implement a different protection than the one in Laravel already. OWASP has a cheat sheet on what your options are, probably double submit is the easiest to implement while being reasonably secure. In very short, you create a random token and send that to the server as a cookie and also as a request header, the server only compares whether the two (cookie and header) match. This works, because an attacker on a differnet origin (domain) cannot set or access a cookie for the application origin due to the same origin policy in browsers.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 2016-10-28 04:29回答 2 已采纳 If your API uses an authentication scheme that does not depend on the authentication token being s
- 2016-11-29 13:26回答 3 已采纳 You should add a field named - _token, instead of csrfToken like this: data.append( "_token", Lar
- 2019-01-14 16:19回答 2 已采纳 The CSRF token is random and unique per session. Hence, an attacker can get the value of this toke
- 2022-12-21 09:00互联网架构的博客 因公众号更改推送规则,请点“在看”并加“星标”第一时间获取精彩技术分享点击关注#互联网架构师公众号,领取架构师全套资料 都在这里0、2T架构师学习资料干货分上一篇:2022...防止 CSRF 攻击?更适用于移动端?...
- 2015-09-23 11:47回答 11 已采纳 You have to add data in your ajax request. I hope so it will be work. data: { "_token": "
- 2011-09-15 15:48回答 3 已采纳 You can do either. It depends on the level of security you want. The OWASP Enterprise Security A
- 2022-04-13 21:14回答 3 已采纳 这样的,比如你在 http://wwww.aaa.com 网站里面, 你现在登录了 假如,有一个修改密码的接口,需要传一个用户名和新密码就能修改,并且要向后端传cookie,cookie校验通过了就进
- 2022-12-03 22:00Java精选的博客 望各位对JWT有更深的理解!十分不幸,我发现越来越多的人开始推荐使用 JWT 管理网站的用户会话(Session)。在本文中,我将说明为何这是个非常非常不成熟的想法。为了避免疑惑和歧义,首先定义一些术语:无状态 JWT...
- 2017-08-14 06:08回答 2 已采纳 Just add this to your script <script type="text/javascript"> $.ajaxSetup({
- 2018-02-17 06:48回答 3 已采纳 You have an error in file C:\wamp64\www\example\vendor\laravel\framework\src\Illuminate\Routing\Ro
- 2016-12-19 09:19回答 1 已采纳 You can create a meta tag with csrf-token by using JavaScript in your html file! How to do this:
- 2021-04-25 14:35黄昏单车的博客 # 301:永久重定向,旧网页已被新网页永久替代 # 302:表示临时性重定向 # 400:错误请求 # 401:未授权,没有权限,未登录 # 403:禁止访问 # 404:找不到页面 # 500:系统错误,服务器错误 # 502:无效响应 # 503...
- 2022-10-11 19:24回答 4 已采纳 共同点为:将一些隐私数据像 cookie、session 发送给攻击者,将受害者重定向到一个由攻击者控制的网站,在受害者的机器上进行一些恶意操作。
- 2021-10-24 09:42原克技术的博客 get 传输的参数在 url 中,传递参数大小有限制 get 不安全,post 安全性比get高 get是显式的,数据从url中可以看到,传输的数据量小,安全性低; post是隐式的,传送的数据量较大,安全性较高 2、echo(),print(),...
- 2020-07-03 09:37baobaodqh的博客 go-jose -JOSE工作组的JSON Web令牌,JSON Web签名和JSON Web加密规范的相当完整的实现。 go-oauth2 server-用Golang编写的独立,符合规范的OAuth2服务器。 gologin用于使用OAuth1和OAuth2身份验证提供程序登录的可...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 metadata提取的PDF元数据,如何转换为一个Excel
- ¥15 关于arduino编程toCharArray()函数的使用
- ¥100 vc++混合CEF采用CLR方式编译报错
- ¥15 coze 的插件输入飞书多维表格 app_token 后一直显示错误,如何解决?
- ¥15 vite+vue3+plyr播放本地public文件夹下视频无法加载
- ¥15 c#逐行读取txt文本,但是每一行里面数据之间空格数量不同
- ¥50 如何openEuler 22.03上安装配置drbd
- ¥20 ING91680C BLE5.3 芯片怎么实现串口收发数据
- ¥15 无线连接树莓派,无法执行update,如何解决?(相关搜索:软件下载)
- ¥15 Windows11, backspace, enter, space键失灵