使用AJAX GET方法进行CSRF令牌保护
[英]CSRF token protection with AJAX GET method
问题描述
I'm a bit confused from the online information. 
我对在线信息有些困惑。
I'm using CSRF protection using Spring security on my back-end. 我在后端使用Spring Security进行CSRF保护。
I wanted to ask is it safe to send CSRF token from my angular front-end, while I'm passing the token within HTTP header using Ajax GET method? 我想问一下,当我使用Ajax GET方法在HTTP标头中传递令牌时,从我的前端发送CSRF令牌是否安全?
Because according to Spring docs I shouldn't use GET method, but on the other hand it doesn't say anything about if it's okay to use GET Ajax when I pass it in HTTP header. 因为根据Spring文档,我不应该使用GET方法,但是另一方面,当我在HTTP标头中传递GET Ajax时,它并没有说明是否可以使用GET Ajax。
Second, 第二,
If I shouldn't use GET, how do I use REST service & CSRF protection? 如果我不应该使用GET,如何使用REST服务和CSRF保护? should I give up GET method or CSRF protection? 我应该放弃GET方法或CSRF保护吗?
1 个解决方案
解决方案1
2 已采纳 2016-11-05 16:26:29
Since GET requests should not modify any state on the server and should be "read-only" usually CSRF protection should not be needed for GET requests. 由于GET请求不应修改服务器上的任何状态,并且应为“只读”状态,因此通常对于GET请求不需要CSRF保护。
The problem about leakage is mostly related to browser usage because GET requests usually do not contain a body and thus the token is sent as request parameter. 有关泄漏的问题主要与浏览器使用有关,因为GET请求通常不包含正文,因此令牌作为请求参数发送。 Thus the CSRF token could be visible through shoulder surfing, stored as a bookmark, appear in the browser history or logged on the server (altough logging also applies to AJAX requests). 这样,CSRF令牌就可以通过肩膀冲浪可见,作为书签存储,出现在浏览器历史记录中或记录在服务器上(尽管日志记录也适用于AJAX请求)。
Since you are talking about AJAX requests most of this leakage does not apply, although setting it in header may help in case of URLs appearing in the logs, but logs could also contain headers. 由于您正在谈论AJAX请求,所以大多数这种泄漏都不适用,尽管在日志中出现URL的情况下将其设置在标头中可能会有所帮助,但日志中也可能包含标头。
But actually using a custom header (with or without token) is often used to prevent CSRF attacks because AJAX requests cannot set custom headers cross-domain other than 但是实际上通常使用自定义标头(带有或不带有令牌)来防止CSRF攻击,因为AJAX请求无法跨域设置自定义标头,
- Accept 接受
- Accept-Language 接受语言
- Content-Language 内容语言
- Last-Event-ID 最后事件ID
- Content-Type 内容类型
Thus using a custom header like X-Requested-With: XMLHttpRequest which is eg set by jQuery and verifying this header on the server can prevent CSRF attacks. 因此,使用自定义标头(例如X-Requested-With: XMLHttpRequest (由jQuery设置)并在服务器上验证此标头可以防止CSRF攻击。
Last but not least there is one interesing article about having the same token for GET and POST requests and having same-origin access to the GET request via an XSS vulnerability of a separate web application in the same origin where the token can be leaked from the GET request and used for a POST. 最后但并非最不重要的是,有一篇有趣的文章,内容涉及对GET和POST请求使用相同的令牌,并通过来自同一来源的单独Web应用程序的XSS漏洞对GET请求进行相同来源的访问,该令牌可能从令牌中泄漏出来。 GET请求,用于POST。 The solution there is to either not use CSRF tokens for GET or use different tokens for GET and POST. 那里的解决方案是要么不将CSRF令牌用于GET,要么不将其他令牌用于GET和POST。
Basically regarding your questions, if your GET does not have any side-effects, a CSRF token is not really needed but would not hurt. 基本上,关于您的问题,如果您的GET没有任何副作用,则实际上并不需要CSRF令牌,但不会造成伤害。 On the other hand, if your GET request changes something on the server, you should think about using another verb (eg POST) depending on what you want to do and then protect your POST requests with a CSRF token or a custom header. 另一方面,如果GET请求更改了服务器上的某些内容,则应考虑根据要使用的动词(例如POST),然后使用CSRF令牌或自定义标头保护POST请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.