Learn More
Resend Email
6
SteffTek
5y

Currently working on my own Express App with CSurf for csrf validation.

Works great but one problem...

HOW THE FUCK SHOULD A POST REQUEST COMING FROM JAVA GET THE FUCKING TOKEN.

Should I made my RESTApi without csrf protection?

I am crying right now...

rant

expressjs

fuck this shit

node.js
Favorite
Ranter
Comments
  • 0
    5y
    @11000100111000 good point! Thank you!
  • 1
    5y
    @11000100111000 I got one web app. But isn't csrf token useless if anyone can get one via get?
  • 1
    5y
    Apis have usually an token for an session for this so an app only needs to use this token to get access without transfering passwords.
  • 0
    5y
    @11000100111000 I know that, that's why I have csrf token. And why should I let anyone create one?
  • 0
    5y
    @11000100111000 ok I'll try, seems to be working..

    Just wondering how long such token is valid 🤔
  • 0
    5y
    @11000100111000 ok thank you!
  • 0
    5y
    @11000100111000 I am using my own session system because I migrated from PHP to Node and didn't want to rewrite my whole backend with SQL and so on

    Or what sessions do you mean?
  • 0
    5y
    @11000100111000 I'm a noob in express... I try ^^
  • 0
    5y
    @SteffTek No, please not bind it to the connection. I may have a tab open for 30 Minutes and still want to write my comments...
  • 0
    5y
    @SteffTek May be you want double-submit tokens? Send the tokens in a cookie AND send them via form (or JavaScript or whatever). This way you don't need to store "valid" tokens somewhere.
  • 0
    5y
    @sbiewald I stuck with disabling csrf on my API calls completely. Works fine and is promoted by CSurf Middleware GitHub
  • 1
    5y
    @11000100111000 No it doesn't, as long they are sent via form, too. An attacker cannot modify session cookies of a user for a third party side.
  • 0
    5y
    @11000100111000 I tried, got a forbidden
  • 0
    5y
    @11000100111000 but it's recommended by the csrf Middleware to make APIs without that token, so other applications can access them
  • 0
    5y
    @11000100111000 And the token still has to be sent in the request body, too (and an attacker cannot make it magically match the cookie). Please see: https://github.com/OWASP/...

    There are drawbacks, e.g. when subdomains are attacker controlled.
  • 0
    5y
    @11000100111000 how should they?
  • 0
    5y
    @11000100111000 No problem.
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment