在AJAX请求的$ http上设置反CSRF令牌是否安全?
[英]Is it safe to set an anti-CSRF token on $http for Ajax requests?
问题描述
It seems creating and handling anti-CSRF tokens for Ajax calls in an Angular application is non-trivial and some are getting around the problem by applying a single token to every Ajax call. 
在Angular应用程序中为Ajax调用创建和处理反CSRF令牌似乎很简单,有些人通过将单个令牌应用于每个Ajax调用来解决此问题。 For example here . 例如这里 。
The solution is quite neat. 解决方案非常简洁。 We just generate the token on the server and send it along with the first loaded page after sign-in. 我们只是在服务器上生成令牌,然后将其与登录后的第一个加载页面一起发送。 Then we ensure it goes out with all future requests like this: 然后,我们确保它可以与所有将来的所有请求一起使用,例如:
$http.defaults.headers.common['RequestVerificationToken'] = 'token should go here';
But I am concerned this may simplify the job of an attacker. 但是我担心这可能会简化攻击者的工作。 They need only get hold of $http in order to make any valid request. 他们只需要持有$ http即可发出任何有效请求。 Is this the case? 是这样吗 Is this method safe? 这种方法安全吗? Is there a 'best practice' regarding Ajax requests and CSRF? 关于Ajax请求和CSRF是否有“最佳实践”?
1 个解决方案
解决方案1
1 2014-05-28 05:13:36
Angular automatically does this for you. Angular会自动为您执行此操作。
Read Cross Site Request Forgery (XSRF) Protection section. 阅读跨站点请求伪造(XSRF)保护部分。 DOCS DOCS
I also suggest you read up CSRF, and what it is, if malicious script is already in your page it does not need to do cross-site requests to pose as the victim. 我还建议您阅读CSRF,这是什么,如果网页中已经存在恶意脚本,则无需进行跨站点请求就可以构成受害者。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.