CODEWITHSUNDEEP
node.jssecurityrestexpress
Sahat Yalkabov
Sahat Yalkabov

Reputation: 33624

How to enforce same origin policy in Express.js?

Suppose I have the following URL route:

app.post('upvote', function(req, res) {
  // make a database a call to increase vote count
});

What can I do to prevent others from opening up a console and sending AJAX POST request on www.mysite.com/upvote? I'd like it so that only www.mysite.com is allowed to make that POST request and no one else.

Upvotes: 3

Views: 2477

Answers (2)

user568109
user568109

Reputation: 47993

I agree with bobince. others is a very general term.

If others belong to other sites (malicious sites on net).

  • express has csrf middleware to protect from Cross Site Request Forgery. You can use it to prevent such a scenario. See the API docs here.

If others are users of your own site

  • then that is an authentication issue. Every request must be checked before serving / executing it. You should implement a user authentication to prevent this situation. I use passport, and ensure that user is authenticated before I actually run app.post handler.

Upvotes: 2

bobince
bobince

Reputation: 536339

What can I do to prevent others from opening up a console and sending AJAX POST request

Who is "others"?

If others==users of the site... there is nothing you can do to stop them sending whatever requests they like, using the JavaScript console or any other means. You can't trust the client, so you have to have server-side authorisation: requiring that the user be logged into an account, and registering that the account has upvoted so can't vote again.

If others==admins of other sites (by serving script to their users that causes submissions to your site)... it isn't possible for JavaScript on another site to cause an AJAX POST request, or at least not unless you deliberately opt into that using CORS. But it's quite possible for them to cause a POST by simply creating a <form> pointing to your address and submitting it.

This is a classic Cross Site Request Forgery problem. The widely-accepted solution to XSRF issues is to include a secret token as a parameter in each POST (form or AJAX) submission. That secret token is associated with the logged-in state of the user, either by being stored in the server-side session, or replicated in a client-side cookie. Either way an attacker from another site isn't capable of getting hold of a token that is valid for the logged-in user, so they can't fake the request.

You need XSRF protection on all actions that have a direct effect, whether AJAX or form-based POSTs.

Upvotes: 4

Related Questions