stackoom
  简体   繁体   中英

XSRF antiforgery: Asp.Net Core 2 WebApi (not MVC) + separate Server for Angular is possible?

 原文  2018-12-14 13:08:00       angular/ asp.net-core/ asp.net-core-2.0/ csrf/ x-xsrf-token

Question

I'm using Asp.Net Core Webapi 2 with no static content as a backend server + nginx on a separate machine to serve Angular 7 application. Here is the question: does it have sence to try to use xrsf antiforgery protection like services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN"); in case of splitted back and front machines? As far as I understand I have to manage some kind of state between these two servers to provide corresponding cookie from Nginx which backend server will accept.

1 answers

solution1
 0 ACCPTED  2018-12-14 19:57:50

If I have understood the question correctly, you want to know how to protect your webapp from CSRF attack.

Your APIs are hosted in a backend web server, whereas the Angular static contents are hosted in nginx.

The idea is explained in Angular docs . You need to set the cookie XSRF-TOKEN (default name) in authentication REST response. The cookie should be secure but readable using javascript (non- httpOnly ). You can set the value of the cookie to something unique for the user session (ideally a cryptographically generated random number). Here, onwards in every subsequent request, Angular HttpClient would send the cookie value in the request header X-XSRF-TOKEN and the server needs to validate if the cookie value and the request header value are correct. Note that the access token cookie would also accompany the request (as usual in token based authentication). Thus in every valid API call, your web server would receive the access token in cookie header and the XSRF cookie value in custom XSRF header and XSRF cookie header. If the XSRF header is missing or the values do not match, the server rejects the request.

So, the solution is stateless and managed by storing values in cookie which accompany every request (unless you also maintain the XSRF cookie value in the server for more strict validation).

In your setup, the cookie set by the server is not be visible to the Angular static files served by nginx due to same-origin policy. You can however resolve the issue in one of the following ways:

  1. If your web API server and static file server are accessed using different IPs (say 172.168.1.1 and 172.168.2.2) or different domains (say webapi.com or static.com), you need to configure the web api server to set the following headers in response to allow the static file server (172.168.2.2 or static.com) read the cookies: Access-Control-Allow-Origin: https://static.com

  2. If your web API server and static file server are accessed using different sub-domains (webapi.example.com & static.example.com), you can go either with the above approach or set the domain while setting the cookie: Set-Cookie: name=value; domain=example.com Set-Cookie: name=value; domain=example.com

You may also consider reading this thread for CSRF

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question asp.net core 1.1 antiforgery with angular 2/4 ASP.Net Core Antiforgery, Angular and IFRAMES Configure ASP.Net Core Antiforgery to work with Angular SPA Angular 2, ASP.NET Core, WebAPI ASP.NET Core WebAPI: Validation of the provided antiforgery token failed. The cookie token and the request token were swapped Antiforgery throws bad request in asp.net core web api angular How to pass image from Angular(2/4) to in ASP.NET Core WebAPI server folder ASP.NET core SPA SSR: Use AntiForgery Asp.Net Core Mvc and Angular 4 (2) routing asp.net core2 webapi and angular app not rendering in the page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM