从服务器到AngularJS客户端的CSRF令牌交换
[英]CSRF token exchange from server to AngularJS client
问题描述
I'm going crazy trying to figure out how to implement a CSRF protection for my Web app. 
我很疯狂,试图弄清楚如何为我的Web应用程序实现CSRF保护。 I've read tons of pages but still cannot decide on the solution in my particular context. 我已经阅读了成千上万的页面,但仍无法根据自己的具体情况决定解决方案。
So, first my Web app is written in Angular, deployed statically on an Apache server. 因此,首先,我的Web应用是用Angular编写的,并静态部署在Apache服务器上。 It calls some services on my server, Java type, deployed in a war on an application server. 它在战争中部署在我的服务器上的Java类型的一些服务上,这些服务部署在应用程序服务器上。 Both of them are deployed on the same domain. 两者都部署在同一域中。 After authentication the usual session cookie (secure+HttpOnly) is set in the response. 身份验证后,将在响应中设置常规会话cookie(安全+ HttpOnly)。
Now, I would like to implement a CSRF protection based on either a synchronizer token or a double submit cookie pattern (but from what I saw the first is a better solution as I can handle a state on server side). 现在,我想基于同步器令牌或双提交cookie模式实现CSRF保护(但是从我看到的第一个来看,这是一个更好的解决方案,因为我可以处理服务器端的状态)。
Most of the solutions I saw are proposing to generate the token server side and to store it in a cookie so it can be accessed on client side. 我看到的大多数解决方案都建议生成令牌服务器端并将其存储在cookie中,以便可以在客户端进行访问。 The constraint for this to work, and I would that it is a big one, is that the cookie cannot be HttpOnly, as Javascript would not be able to access it. 使其起作用的约束(我想这是一个很大的约束)是cookie不能为HttpOnly,因为Javascript无法访问它。 Moreover I have the feeling that sharing the token in a non fully protected cookie wouldn't be a good idea. 此外,我感觉在一个未完全保护的cookie中共享令牌不是一个好主意。 But it seems to be the recommended solution from AngularJS ... 但这似乎是AngularJS的推荐解决方案...
So, if I discard this solution what am I left with? 所以,如果我放弃这个解决方案,我剩下什么呢? Putting the token not in a cookie but rather in the response header? 将令牌不是放在cookie中,而是放在响应头中? Is it secure? 安全吗? Exposing a service to fetch the token? 公开服务以获取令牌? Seems practical but not sure if it is a good idea? 似乎实用,但不确定是否是个好主意? Expose a servlet to build a Javascript to provide the token, like in OWASP Guard? 像在OWASP Guard中一样,公开一个servlet来构建一个提供令牌的Javascript? Anything else? 还要别的吗?
EDIT: It seems that Spring is going for the injection of the token name and value in the HTTP response as a solution. 编辑:看来Spring打算在HTTP响应中注入令牌名称和值作为解决方案。
Thanks for your help! 谢谢你的帮助!
1 个解决方案
解决方案1
0 2017-10-06 21:05:21
- CSRF token should generated once per user session. CSRF令牌应在每个用户会话中生成一次。
- It should be stored in server side session (HttpSession in case of Java) 它应该存储在服务器端会话中(对于Java,则为HttpSession)
- Client should store the token as a hidden parameter not in the browser's cookie. 客户端应将令牌作为隐藏参数存储在浏览器的Cookie中,而不是在其中。
- Server should validate the presence of the CSRF token for each request and compare with the token stored in session. 服务器应验证每个请求的CSRF令牌是否存在,并与会话中存储的令牌进行比较。
More details : https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet 更多详细信息: https : //www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.