[英]Anti forgery token as header field or as Post value on AJAX?
I'm working now on Ring Anti Forgery to prevent the site from CSRF attacks. 我正在研究Ring Anti Forgery,以防止该站点遭受CSRF攻击。 Now I'm in doubt if I should pass the token as a header field or as a post
value on AJAX request as they both seem to work. 现在,我是否应该将令牌作为AJAX请求上的标头字段或post
值传递,因为它们似乎都可以工作。
On the doc it says: 在文档上说:
The middleware also looks for the token in the X-CSRF-Token and X-XSRF-Token header fields, which are commonly used in AJAX requests. 中间件还在X-CSRF-Token和X-XSRF-Token标头字段中查找令牌,这些字段通常在AJAX请求中使用。
The downside of setting it to a header field on my side is that I have to change every Jquery $.post
to a simple $.ajax
so I can set the headers. 在我这边将其设置为标头字段的不利之处在于,我必须将每个Jquery $.post
更改为一个简单的$.ajax
以便我可以设置标头。
eg 例如
$.ajax({
url: "url",
type: "post",
data: {
username: username,
sender: sender
},
headers: {
"X-CSRF-Token": X_CSRF_Token,
}
});
vs. 与
$.post( "url", { username: username, sender: sender, '__anti-forgery-token': X_CSRF_Token})
.done(function( data ) {
// done
});
Is there a need for me to change every jQuery $.post
to a $.ajax
so I can set the anti forgery token as a header field? 我是否需要将每个jQuery $.post
更改为$.ajax
以便将防伪令牌设置为标头字段?
您可以在每个ajax调用中使用$.ajaxSetup
设置CSRF令牌: https : $.ajaxSetup
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.