rest api 中的 CSRF 令牌
[英]CSRF token in rest api
问题描述
Using CSRF token in rest API is helpful or not?
在 rest API 中使用 CSRF 令牌是否有帮助? as far as I know we don't have a session so we should send the token to client for next request or for submitting the form.据我所知,我们没有 session 因此我们应该将令牌发送给客户端以进行下一个请求或提交表单。
Is it helpful to use it again in ajax(xhr) calls.在 ajax(xhr) 调用中再次使用它是否有帮助。 are there any alternatives?有其他选择吗?
I've been reading the spring documents for this, and it also has some examples.为此,我一直在阅读 spring 文档,其中也有一些示例。 but I was curious that is it really helpful or not?但我很好奇它真的有用吗?
By the way My server is spring 2.2 and my client is Angular 9.顺便说一句,我的服务器是 spring 2.2,我的客户端是 Angular 9。
Thanks谢谢
1 个解决方案
解决方案1
1 2021-01-31 20:17:37
CSRF tokens are essential for preventing XSS attacks, for instance you are logged into your bank, in one tab, and visiting my malicious site that will send a hidden form to your bank stealing your credicard number. CSRF 令牌对于防止 XSS 攻击至关重要,例如,您登录到您的银行,在一个选项卡中,并访问我的恶意站点,该站点将向您的银行发送隐藏表单以窃取您的信用卡号。
If you want to build a more secure site, every request that manipulates the state in the backend (POST, PUT, DELETE etc) should have a CSRF token included, to ensure that the request came from forms on your site and only your site.如果您想构建一个更安全的站点,则在后端(POST、PUT、DELETE 等)中操纵 state 的每个请求都应该包含一个 CSRF 令牌,以确保请求来自您站点上的 forms 并且仅来自您的站点。
You can read more about CSRF tokens on Owasps webpage .您可以在Owasps 网页上阅读有关 CSRF 令牌的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.