反伪造令牌作为标头字段还是AJAX上的发布值?
[英]Anti forgery token as header field or as Post value on AJAX?
问题描述
I'm working now on Ring Anti Forgery to prevent the site from CSRF attacks. 
我正在研究Ring Anti Forgery,以防止该站点遭受CSRF攻击。 Now I'm in doubt if I should pass the token as a header field or as a post value on AJAX request as they both seem to work. 现在,我是否应该将令牌作为AJAX请求上的标头字段或post值传递,因为它们似乎都可以工作。
On the doc it says: 在文档上说:
The middleware also looks for the token in the X-CSRF-Token and X-XSRF-Token header fields, which are commonly used in AJAX requests.
The downside of setting it to a header field on my side is that I have to change every Jquery $.post to a simple $.ajax so I can set the headers. 在我这边将其设置为标头字段的不利之处在于,我必须将每个Jquery $.post更改为一个简单的$.ajax以便我可以设置标头。
eg 例如
$.ajax({
url: "url",
type: "post",
data: {
username: username,
sender: sender
},
headers: {
"X-CSRF-Token": X_CSRF_Token,
}
});
vs. 与
$.post( "url", { username: username, sender: sender, '__anti-forgery-token': X_CSRF_Token})
.done(function( data ) {
// done
});
Is there a need for me to change every jQuery $.post to a $.ajax so I can set the anti forgery token as a header field? 我是否需要将每个jQuery $.post更改为$.ajax以便将防伪令牌设置为标头字段?
1 个解决方案
解决方案1
4 已采纳 2015-10-21 13:04:49
您可以在每个ajax调用中使用$.ajaxSetup设置CSRF令牌: https : $.ajaxSetup
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.