Sails.js hook for csrf protection showing strange behaviour when calling from a chrome app like Postman

Question

I am performing a post via Postman on my restful API written in sails.js. CSRF flag is enabled in the crfs.js config file. The post is performed without valid csrf token but is working which is surprising me.

In this case the req.headers.origin is filled in and the origin looks like chrome-extension://... As the isSameOrigin function is verifying against http(s) this give no matches back so the result is false and no csrf token verification is done.

Could the code

if (sails.config.csrf && (!req.headers.origin || util.isSameOrigin(req)))

be replaced by

if (sails.config.csrf)

Next to this I would like to know what is the best thing to do within a single page app with calls to the REST API. Is it necessary to ask for a csrfToken on each single call or can the same csrfToken be used as long as the session is valid. Which one is the best practice ? The tokens requested seem to remain valid as long as the session is valid.

Highly appreciate your feedback.

Answer 1

CSRF attacks aren't a concern for requests where the Origin header is sent, or when the origin is on the same site. They're only a concern when you're getting a request from an unknown location (like a form POST without a referrer header) which sends cookies along with it without the sender really thinking about it. When you're using Postman, you only have access to your own cookies, so there's no danger of being able to pose as someone else. Thus, CSRF isn't really necessary. It may be possible to turn off the Origin header coming out of Postman, if you really want to test your CSRF protection; you'd have to look at the docs.

As far as single-page Sails apps go, the CSRF token is valid for the length of the session, so you only need to request the token once. The chances of someone guessing the token are slim! (that's the point).