REST API Client only in HTML / JS
Question
是否可以仅针对REST API在HTML / JS中创建客户端并阻止CSRF?
1 answers
solution1
1 2012-05-31 16:33:02
It's possible.
CSRF prevention is usually made for simple websites, not APIs, since APIs are generally intended to be accessed by other websites. Hidden crumbs and tokens, which are the most common way to prevent this kind of attack, won't work properly on consumable APIs.
What you probably need is a good main authentication mechanism. One of the main weaknesses of web applications vulnerable to CSRF are cookies. If your API doesn't need them, using another auth mechanism (like OAuth or HTTP Digest) may be the answer, so external users can still use the API safely (without nasty crumb verifications).
Both HTTP Auth Basic and OAuth 2.0 are feasible under JS client applications. There is a demo for OAuth2 here: https://gist.github.com/563893
Twitter uses its own public API inside the main website, so there is proof that something like this is possible, although I'm not sure how specifically they prevent external CSRF. Every request is made by a receiver (located here: https://api.twitter.com/receiver.html ) and authorization tokens are tunneled by cookies. You'll probably need to research their implementation further.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.