[英]CSRF token exchange from server to AngularJS client
I'm going crazy trying to figure out how to implement a CSRF protection for my Web app. 我很疯狂,试图弄清楚如何为我的Web应用程序实现CSRF保护。 I've read tons of pages but still cannot decide on the solution in my particular context.
我已经阅读了成千上万的页面,但仍无法根据自己的具体情况决定解决方案。
So, first my Web app is written in Angular, deployed statically on an Apache server. 因此,首先,我的Web应用是用Angular编写的,并静态部署在Apache服务器上。 It calls some services on my server, Java type, deployed in a war on an application server.
它在战争中部署在我的服务器上的Java类型的一些服务上,这些服务部署在应用程序服务器上。 Both of them are deployed on the same domain.
两者都部署在同一域中。 After authentication the usual session cookie (secure+HttpOnly) is set in the response.
身份验证后,将在响应中设置常规会话cookie(安全+ HttpOnly)。
Now, I would like to implement a CSRF protection based on either a synchronizer token or a double submit cookie pattern (but from what I saw the first is a better solution as I can handle a state on server side). 现在,我想基于同步器令牌或双提交cookie模式实现CSRF保护(但是从我看到的第一个来看,这是一个更好的解决方案,因为我可以处理服务器端的状态)。
Most of the solutions I saw are proposing to generate the token server side and to store it in a cookie so it can be accessed on client side. 我看到的大多数解决方案都建议生成令牌服务器端并将其存储在cookie中,以便可以在客户端进行访问。 The constraint for this to work, and I would that it is a big one, is that the cookie cannot be HttpOnly, as Javascript would not be able to access it.
使其起作用的约束(我想这是一个很大的约束)是cookie不能为HttpOnly,因为Javascript无法访问它。 Moreover I have the feeling that sharing the token in a non fully protected cookie wouldn't be a good idea.
此外,我感觉在一个未完全保护的cookie中共享令牌不是一个好主意。 But it seems to be the recommended solution from AngularJS ...
但这似乎是AngularJS的推荐解决方案...
So, if I discard this solution what am I left with? 所以,如果我放弃这个解决方案,我剩下什么呢? Putting the token not in a cookie but rather in the response header?
将令牌不是放在cookie中,而是放在响应头中? Is it secure?
安全吗? Exposing a service to fetch the token?
公开服务以获取令牌? Seems practical but not sure if it is a good idea?
似乎实用,但不确定是否是个好主意? Expose a servlet to build a Javascript to provide the token, like in OWASP Guard?
像在OWASP Guard中一样,公开一个servlet来构建一个提供令牌的Javascript? Anything else?
还要别的吗?
EDIT: It seems that Spring is going for the injection of the token name and value in the HTTP response as a solution. 编辑:看来Spring打算在HTTP响应中注入令牌名称和值作为解决方案。
Thanks for your help! 谢谢你的帮助!
More details : https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet 更多详细信息: https : //www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.