Reputation: 1615
CSRF defense using backbone and node.js
I'm creating a website using backbone and node.js and don't think that by default there is any protection against CSRF. Is there a standard way to project against CSRF when using backbone with node.js? Thanks
Upvotes: 1
Views: 2069
Answers (3)
Reputation: 51
If the Allow-Origin header is set to something permissive (e.g., Allow-Origin:*) X-Requested-By will not prevent request forgeries. Any javascript running on another host will be able to craft requests that still enable request forgeries.
Upvotes: 1
Reputation: 1606
I don't know of anything specific for node.js + backbone, but you can use http://www.senchalabs.org/connect/middleware-csrf.html (assuming you're using express or something connect-compatible). You'll need to output the token somewhere in your html, like as a meta tag. Then you can modify the backbone sync method to pull that token and pass it to express via header, query, or form.
Upvotes: 1
Reputation: 318568
You could simply ensure requests have the X-Requested-By header with the value XMLHTTPRequest. AJAX requests have cross-domain restrictions so if that header is present it was not e.g. a hidden form on a malicious website.
Upvotes: 5
Related Questions
- CSRF protection in singlepage web application
- Rails - How to add CSRF Protection to forms created in javascript?
- How to secure Backbone.js
- Using CSRF in NodeJS
- csrf token using
- How to protect against CSRF when using Backbone.js to post data?
- CSRF Protection in ExpressJS
- Got CSRF verification failure when while requesting POST through API
- backbone.js and CORS
- Rails CSRF token authenticity and Devise