stackoom
  简体   繁体   中英

CSRF Token in REST API with authentication

 原文  2015-07-25 11:17:58       rest/ authentication/ http-headers/ csrf/ restful-authentication

Question

I understood the purpose of the CSRF Token protection.

However, I think this protection is useless and we should remove it in the case of a REST API requiring an authentication token in the header for each action.

This way, even if Mallory forges a malicious HTML link to Alice, the attack can not be done. The reason is that:

Alice keeps her authentication information in a header key that Mallory don't know. And unlike a cookie, Alice's browser doesn't submit this authentication token automatically.

So in this context, I would like to have you point of view about the question: can we remove a CSRF token protection from this kind of API design?

2 answers

solution1
 9 ACCPTED  2015-07-25 16:55:06

Yes, you don't need CSRF protection when using a bearer scheme authentication as the browser does not automatically add the Authorization header to the request.

You do need CSRF protection for cookies, basic, Windows, digest and client certificates authentication schemes as these are automatically added by the browser.

See also Dominick Baier's article on implicit vs explicit authentication: http://leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/

solution2
 0  2020-07-28 10:47:57

Theoretically, you don´t need CSRF protection as you described. But one of my main concerns is where to store the access token. The local storage of the browser does not provide a good security. So it´s often stored in cookies. And so, the CSRF vulnerability comes back.

Jean-Christophe Baey described in his article a two-cookie mechanism to prevent access tokens from CSRF and from being stolen by XSS.

To sum that article up: The payload of the access token is stored in a cookie that is accessibly by JavaScript. The signature of the access token is stored in a cookie that is NOT accessible by JavaScript. The client reads the payload from the cookie and passes it in the Authentication-Header to the server. The server validates the token based on the signature which is sent in the HttpOnly cookie.

So, its CSRF-save and an attacker cannot steal the entire token via XSS because there is no JS-access to the signature.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CSRF token in rest api REST API token authentication Rest API with authentication token Token Authentication Rest API Session REST API with token based authentication How to get csrf token from get api and pass csrf token to another post api using REST Assured? How to get and include the CSRF token in the header when working with REST API Token-based REST API Authentication How to make token authentication in Codeigniter 3 REST API REST API Firestore authentication with ID Token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM