stackoom
  简体   繁体   中英

HTTP(S) request security using random headers

 原文  2015-04-30 08:40:40       javascript/ security/ csrf

Question

I understand that CSRF is a major security concern for HTTP(S)-based applications.

From the looks of it, most frameworks send the CSRF token as part of the request body. However, in my case that is somewhat inelegant for several reasons; most importantly I don't want to mess with the transport layer which might send POST requests in many different formats, not necessarily all are JSON or x-www-form-urlencoded .

As a solution, I was thinking of a much less intrusive alternative; particularly, I am generating a random header: A randomized header name (common prefix), containing a random CSRF token.

Is there any security (or other kind of) risk to that?

2 answers

solution1
 2  2015-05-01 09:47:33

You could just set the X-Requested-With header and then check for this server side. Many frameworks, like JQuery, add this automatically to AJAX requests.

X-Requested-With is a de-facto standard for indicating that the request is made via AJAX.

You do not need a random token as it is not possible for this header to be sent cross domain without the server opting in via CORS.

Therefore, setting and checking a non-standard header is a valid way to protect against CSRF.

The OWASP CSRF Prevention Cheat Sheet does not mention it, however it does mention checking the Origin header. However, the logic for this is not straightforward as many browsers do not send Origin for same origin requests.

Also this only works for AJAX requests. With a normal form POST it is not possible to add extra headers. Also, in the past there have been bugs with plugins like Flash that allowed any header to be set enabling an attacker to use Flash to make a cross-domain request. However, issues like these have long since been patched.

If you want a token as well as part of a defence in depth strategy, you could adapt X-Requested-With to include a random token that you then check. eg X-Requested-With: XMLHttpRequest;0123456789ABCDEF .

Then token could simply be a cookie value created just for CSRF prevention purposes (generated with a cryptographically secure algorithm and entropy source of course).

solution2
 1  2015-04-30 08:44:27

Is there any security (or other kind of) risk to that?

There is no: as soon as you can pass it from the client and check on the server - you're fine

Also, how often should I refresh the CSRF token? Do I need a new one for every request, or every few requests, or once per site-visit and day, or...?

Generally you should not refresh it at all. If it's generated using cryptographically strong random number generator - you can have one per session. What important is that it was not possible to guess it, so it should not derive from any known data.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to open a url using javascript and set custom HTTP headers to the request? HTTP request from javascript using raw message including headers AngularJS: http request with missing headers Angular http request with body and headers Getting the http request headers in the frontend How can I get Meteor's HTTP.call (or get) method to modify the HTTP request Headers? Printing the web page's HTTP Headers using JavaScript How can i accessing the web page's HTTP request Headers in JavaScript? Custom Http headers in Angular 2 for every request Set regular HTTP request headers from javascript
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM