CSRF token for library files in index.html
Question
I have two index.html files one for login and once user logs in, I load my entire index.html, which has library files like angularjs and other file servered from server.
So my security scan is complaining that i dont have CSRF token for it. While I do have for all the post request. Is it needed for library files fetch also. i am using angualarjs and js
2 answers
solution1
0 2020-10-04 11:23:32
In general, you should not try to set up a CSRF token for AngularJS static files. Actually, they don't need access control at all. Indeed, the AngularJS app is just an empty shell that does not expose any sensitive information (at least, it's not supposed to). Only your backend does and should mitigate CSRF attacks, to prevent malicious authenticated requests from being sent without the user's approval and knowing.
solution2
0 2020-10-06 19:39:07
Some csrf libraries ignore GET , HEAD and OPTIONS requests by default. for example; csurf . Look for the ignoreMethods property in options. If you are using csurf or something similar, look for a configuration option like this. For example, in csurf you would do something like the following in order not to ignore GET requests:
const csrf = require('csurf');
const csrfMiddleware = csrf({
ignoreMethods: ['OPTIONS', 'HEAD'] // <--- change the default to only ignore OPTIONS and HEAD
});
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.