stackoom
  简体   繁体   中英

Is it safe to set an anti-CSRF token on $http for Ajax requests?

 原文  2014-05-28 04:36:37       ajax/ angularjs/ csrf

Question

It seems creating and handling anti-CSRF tokens for Ajax calls in an Angular application is non-trivial and some are getting around the problem by applying a single token to every Ajax call. For example here .

The solution is quite neat. We just generate the token on the server and send it along with the first loaded page after sign-in. Then we ensure it goes out with all future requests like this:

$http.defaults.headers.common['RequestVerificationToken'] = 'token should go here';

But I am concerned this may simplify the job of an attacker. They need only get hold of $http in order to make any valid request. Is this the case? Is this method safe? Is there a 'best practice' regarding Ajax requests and CSRF?

1 answers

solution1
 1  2014-05-28 05:13:36

Angular automatically does this for you.

Read Cross Site Request Forgery (XSRF) Protection section. DOCS

I also suggest you read up CSRF, and what it is, if malicious script is already in your page it does not need to do cross-site requests to pose as the victim.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question anti-CSRF token and Javascript Is it safe to pass csrf_token directly to ajax post data? django: csrf_token for multiple forms and ajax requests on a single page How to pass CSRF token manually for POST requests in ajax Django How to define CSRF token in ajax call in Cakephp 3. Also How CSRF can be off for some ajax requests X-CSRF-Token error with ElasticSearch and AJAX requests in Rails Symfony forms returning CSRF token is invalid from AJAX requests CSRF protection for ajax requests CSRF in Ajax requests csrf token is missing in ajax
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM