Timeline for CORS & CSRF Prevention for an REST based API
Current License: CC BY-SA 3.0
15 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 10, 2016 at 17:55 | answer | added | ozkary | timeline score: 1 | |
| Sep 27, 2015 at 10:48 | answer | added | SilverlightFox | timeline score: 7 | |
| Jun 11, 2015 at 14:05 | comment | added | vallentin | @NeilSmithline Yes I see, but why do you tell me a solution and immediately say, don't use that solution. Then it's clearly not a solution. | |
| Jun 11, 2015 at 14:04 | comment | added | Neil Smithline | No - you can't use a cookie for authentication as that will introduce a CSRF vulnerability. I thought that the problem you mentioned with multiple tabs not all being logged in could be solved if you can share the CSRF token across the tabs. You can share it by putting it in a cookie. Your JavaScript can extract the cookie and pass it to your API. Your API should ignore the cookie as you don't know if it was genuine or put there due to a CSRF attack | |
| Jun 11, 2015 at 7:28 | comment | added | vallentin | @NeilSmithline I'm not sure I follow, you say I should pass a token both from the cookie and in JavaScript? | |
| Jun 11, 2015 at 0:00 | comment | added | Neil Smithline | You can store the token in a cookie as long as your website won't accept the token from the cookie (otherwise you have CSRF vulnerability). Have your Javascript pass it to the api. That will give you cross tab SSO. | |
| Jun 8, 2015 at 23:53 | comment | added | vallentin | The only "problem" I see with that is that now the user has to login each time he/she opens a new tab and enter the url. | |
| Jun 8, 2015 at 23:50 | comment | added | vallentin | @NeilSmithline that might have made me realize something. So would the following work... Login, get an authentication token (this token must be passed on each request or the user is logged out). Thereby if a user is only and another site tries to get something, then as the authentication token isn't there the user will be logged out. | |
| Jun 8, 2015 at 23:25 | comment | added | Neil Smithline | Ahh - found a much better reference. It talks about CORS and CSRF specifically. See scotch.io/tutorials/… | |
| Jun 8, 2015 at 23:21 | comment | added | Neil Smithline | OAUTH is a token authentication system (brief summary of token authn) which uses public keys and digital signature to validate authentication without the need to pass uname/pwd on each request. The API client would authenticate to get a token and then pass the token on subsequent calls. The server validates the digital signature of the token before proceeding. | |
| Jun 8, 2015 at 23:00 | comment | added | vallentin | @NeilSmithline so each time a request is made to the API, authentication needs to be made? So at each request send login data along? How would you safely "do" that? Couldn't an attacker then GET the page and read the "login data" from the page? | |
| Jun 8, 2015 at 17:23 | comment | added | Neil Smithline | CSRF is only a problem when you have a client that automatically sends data like session cookies for any request to a site. So, as @Rabobank said, no need for CSRF protection in API as the API client doesn't have access to the browsers cookies. | |
| Jun 8, 2015 at 16:19 | answer | added | racec0ndition | timeline score: 1 | |
| Jun 8, 2015 at 15:48 | comment | added | Tijme | I don't really think you need CSRF protection for you API. I do think you need authentication. Take a look at OAuth. I think that's what you need: oauth.net | |
| Jun 8, 2015 at 13:52 | history | asked | vallentin | CC BY-SA 3.0 |