Geek asks and answers

Csrf token

I am interested in protecting my web application using the csrf token generator. My question is, how do I need to send this token back to the server: using the request parameter or the http x-csrf token header?

And what is the difference

+5
source share
2 answers

Since you use Express, you can use its CSRF middleware (via Connect): http://www.senchalabs.org/connect/csrf.html

You can check the source of comments here: https://github.com/senchalabs/connect/blob/master/lib/middleware/csrf.js

, , , POST- ( PUT .. , ) _csrf req.session._csrf.

: https://github.com/senchalabs/connect/blob/master/examples/csrf.js

UPDATE

Connect 2.9.0 req.csrfToken() req.session._csrf

: https://github.com/senchalabs/connect/blob/master/examples/csrf.js

Commit: https://github.com/senchalabs/connect/commit/70973b24eb1abe13b2da4f45c1edbb78c611d250

UPDATE2

( ), ( CSRF) : https://github.com/senchalabs/connect#middleware

+9

, csrf POST . .

AJAX X-CSRF-Token. , , , , POST. , , jQuery, POST .

, jQuery AJAX, hook, X-CSRF-Token . , . .

-

, Django, :

jQuery(document).ajaxSend(function(event, xhr, settings) {

  function getCookie(name) {
    var cookieValue = null;
    if (document.cookie && document.cookie != '') {
      var cookies = document.cookie.split(';');
      for (var i = 0; i < cookies.length; i++) {
        var cookie = jQuery.trim(cookies[i]);
        // Does this cookie string begin with the name we want?
        if (cookie.substring(0, name.length + 1) == (name + '=')) {
          cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
          break;
        }
      }
    }
    return cookieValue;
  }

  function sameOrigin(url) {
    // url could be relative or scheme relative or absolute
    var host = document.location.host; // host + port
    var protocol = document.location.protocol;
    var sr_origin = '//' + host;
    var origin = protocol + sr_origin;
    // Allow absolute or scheme relative URLs to same origin
    return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
           (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
           // or any other URL that isn't scheme relative or absolute i.e relative.
           !(/^(\/\/|http:|https:).*/.test(url));
  }

  function safeMethod(method) {
    return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
  }

  if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
    xhr.setRequestHeader("X-CSRFToken", getCookie('csrf.token'));
  }
});

cookie, CSRF, . app.use(express.csrf()) :

app.use((function(options) {

  var csrf = express.csrf(options);

  return function(req, res, next) {

    function onCsrfCalled() {
      var token = req.session._csrf;
      var cookie = req.cookies['csrf.token'];

      // Define a cookie if not present
      if(token && cookie !== token) {
        res.cookie('csrf.token', token);
      }

      // Define vary header
      res.header('Vary', 'Cookie');

      next();
    }

    csrf(req, res, onCsrfCalled);
  }
})());
+3

More articles:


All Articles