堆栈内存溢出
  简体   繁体   English

将用于REST服务的CSRF令牌作为Http响应标头包含是否安全?

[英]Is it safe to include a CSRF token for a REST service as a Http Response Header?

 原文  2014-02-07 11:15:58       java/ rest/ spring-security/ csrf/ owasp

问题描述

I have a set of REST services that are protected by CSRF using something similar to OWASP's Synchronizer Token Pattern ( https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet ). 我有一组受CSRF保护的REST服务,使用的是类似于OWASP的同步器令牌模式( https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet )的服务。 * REST is implemented using Java and JAX-RS * Security is implemented using Spring Security CSRF tokens * HTTP PUT, POST, and DELETE are protected *使用Java和JAX-RS实现REST *使用Spring Security CSRF令牌实现安全性* HTTP PUT,POST和DELETE受保护

At my Web-App startup, I write the correct CSRF token in the HTML page and then the application includes the token as "X-CSRF-HEADER" in the Request Headers for every single request. 在我的Web应用启动时,我在HTML页面中编写了正确的CSRF令牌,然后该应用程序在每个请求的请求标头中都将令牌包括为“ X-CSRF-HEADER”。

I also have clients that access the URLs directly (curl command-line and others for example). 我也有直接访问URL的客户端(例如,curl命令行等)。

The alternate clients need to get the CSRF token somehow (after authenticating of course). 备用客户端需要以某种方式获取CSRF令牌(当然在经过身份验证之后)。

Is it safe to include the token as an HTTP Response Header for GET requests? 将令牌作为GET请求的HTTP响应标头包括在内是否安全? If so, then I could include it in the Response Header and a client could read it out and include it in future Request Headers. 如果是这样,那么我可以将其包含在Response Header中,而客户端可以读出它并将其包含在将来的Request Header中。

Is that safe? 这样安全吗?

1 个解决方案

解决方案1
 4 已采纳  2014-02-07 14:12:34

It is generally considered safe to include the CSRF token in the response headers. 通常认为在响应头中包含CSRF令牌是安全的。 Just as the body of a request, response headers are encrypted in SSL responses and not accessible across domains. 就像请求的主体一样,响应标头在SSL响应中被加密,并且不能跨域访问。 The reason the CSRF token is not rendered to the response by default was to ensure we delay creating a session until it is necessary. 默认情况下,不会将CSRF令牌呈现给响应的原因是为了确保我们将创建会话的时间推迟到必要时。 For details, see SEC-2276 有关详细信息,请参见SEC-2276

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 错误HTTP状态403-在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null' - Error HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN' 在 spring 上启用的 csrf 云网关不会在响应 header 中添加 csrf 令牌 - csrf enabled on spring cloud gateway does not add the csrf token in the response header 使用 HTTP 不是 200 的 REST 服务时获取响应和 header - Obtain the response and header when consuming a REST service with HTTP other than 200 使用REST服务在HTTP标头中传递参数 - passing parameter in http header with REST service 尝试使用封装的http响应代码构建REST服务 - Trying to build a REST-Service with encapsulated http response codes 如何在 REST Z2567A5EC9705EB7AC2C984033E0618 中使用 json 生成 http 响应? - how to generate http response using json in REST web service? 无法在Restlet Web服务的http响应标头中设置状态原因 - Unable to set status reason in http response header in Restlet Web service 春季启动-在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null' - Spring boot - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN' spring如何使用_csrf参数或X-CSRF-TOKEN标头在内部验证csrf令牌? - How does the spring internally validate the csrf token with _csrf parameter or X-CSRF-TOKEN header? 找不到AngularJS HTTP POST预期的CSRF令牌 - AngularJS HTTP POST Expected CSRF token not found
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM