[英]Is it safe to include a CSRF token for a REST service as a Http Response Header?
I have a set of REST services that are protected by CSRF using something similar to OWASP's Synchronizer Token Pattern ( https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet ). 我有一组受CSRF保护的REST服务,使用的是类似于OWASP的同步器令牌模式( https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet )的服务。 * REST is implemented using Java and JAX-RS * Security is implemented using Spring Security CSRF tokens * HTTP PUT, POST, and DELETE are protected *使用Java和JAX-RS实现REST *使用Spring Security CSRF令牌实现安全性* HTTP PUT,POST和DELETE受保护
At my Web-App startup, I write the correct CSRF token in the HTML page and then the application includes the token as "X-CSRF-HEADER" in the Request Headers for every single request. 在我的Web应用启动时,我在HTML页面中编写了正确的CSRF令牌,然后该应用程序在每个请求的请求标头中都将令牌包括为“ X-CSRF-HEADER”。
I also have clients that access the URLs directly (curl command-line and others for example). 我也有直接访问URL的客户端(例如,curl命令行等)。
The alternate clients need to get the CSRF token somehow (after authenticating of course). 备用客户端需要以某种方式获取CSRF令牌(当然在经过身份验证之后)。
Is it safe to include the token as an HTTP Response Header for GET requests? 将令牌作为GET请求的HTTP响应标头包括在内是否安全? If so, then I could include it in the Response Header and a client could read it out and include it in future Request Headers. 如果是这样,那么我可以将其包含在Response Header中,而客户端可以读出它并将其包含在将来的Request Header中。
Is that safe? 这样安全吗?
It is generally considered safe to include the CSRF token in the response headers. 通常认为在响应头中包含CSRF令牌是安全的。 Just as the body of a request, response headers are encrypted in SSL responses and not accessible across domains. 就像请求的主体一样,响应标头在SSL响应中被加密,并且不能跨域访问。 The reason the CSRF token is not rendered to the response by default was to ensure we delay creating a session until it is necessary. 默认情况下,不会将CSRF令牌呈现给响应的原因是为了确保我们将创建会话的时间推迟到必要时。 For details, see SEC-2276 有关详细信息,请参见SEC-2276
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.