将CSRF令牌传递给客户端应用程序

Question

I have web application which is splitted into two separate modules (client and server side). Server has REST services definded and client call REST services to get data. I want to have server protected against CSRF attacks. So any client POST/PUT/DELETE requires to pass csrf token in header and token value should be equal to csrfToken saved in session. My question is since csrf token is generated by the server how can client app obtain token value?

Should client after login send GET request, server generates csrf token store it as session attribute and send it back to client in response or is any better solution?

Answer 1

its upto you what you want if you want to csrf token client side or not?

csrf token always created on landing page or first ajax request of user at serverside backend black box logic...

client side means if jsp then you can easy write code because jsp is in serverside and all its benifits as programer we know...

if in applicaiton we use js or js based framework [like extjs,dojo took kit ,angularjs ,yui or any other] and our view is as .html file then i feel we go with landing page ....

landing page means first page ... or if we use ajax then first ajax request by user to server when user hit to our server...

by first ajax request or landing page you can generate one token and save in session as csrf token after that whole session of that user you have to check csrf token by writing filter ...

in filter must check user session is not null and user is login user and permission base on your application and session have csrf token...

so as every new user must have to pass with your landing page[login page] and got one session at server side so any bogus request is not allow and one security layer you have

Enjoy :)