我正在使用php/symfony2开发RESTful API.
I'm developing RESTful API using php/symfony2.
Symfony2具有开箱即用的CSRF保护功能,并且在使用常规表单数据时可以正常工作(它将CSRF令牌传递到表单,并且在回发时它期望嵌入在表单中的令牌相同).
Symfony2 comes with CSRF protection out of the box and it works fine when using normal form data (it passes CSRF token to the form and when posted back it expects the same token which is embeded in the form).
但是,如果您开发RESTful API,则此解决方案不适合目标用途,因为我的后端<->前端之间的通信完全基于JSON.因此,我禁用了CSRF.
Nonetheless this solution is not fit for purpose if you develop RESTful API, where my communication between backend<->frontend is purely JSON based. Because of that I disabled CSRF.
我知道没有CSRF令牌是不安全的,所以我想知道使用带有RESTful API的CSRF的最佳方法是什么.
I'm aware not having CSRF token is not safe, so I'm wondering what's the most optimal way to have CSRF with RESTful API.
一个主意是拥有特定的网址,例如/api/generate/csrf,可以由前端调用,然后将令牌附加到json请求.听起来并不是最安全的方法,因为技术上任何人都可以生成令牌.
One idea in mind is to have specific URL e.g. /api/generate/csrf, which can be called by frontend then append token to json request. It doesn't sound as the safest way as token technically could be generated by anyone.
开发RESTful API时解决CSRF问题的最佳方法是什么.
What's the best way to approach CSRF problem when developing RESTful APIs.
干杯, 理查德
推荐答案请记住,只有当REST客户端使用基于会话的身份验证时,才需要CSRF保护,否则CSRF保护将无济于事.
Remember that you only need CSRF protection when your REST client is using session based authentication, otherwise CSRF protection won't help you.
如果您的请求确实使用基于会话的身份验证,则将CSRF令牌作为标头包含在内.像这样:
If your requests DO use session based authentication, I would include the CSRF token as a header. Something like:
CSRF-Token: dfsa0jr3n2io20a;更多推荐
CSRF和RESTful API(symfony2,php)
发布评论