dave walker
Reputation: 3108
Is it safe to set an anti-CSRF token on $http for Ajax requests?
It seems creating and handling anti-CSRF tokens for Ajax calls in an Angular application is non-trivial and some are getting around the problem by applying a single token to every Ajax call. For example here.
The solution is quite neat. We just generate the token on the server and send it along with the first loaded page after sign-in. Then we ensure it goes out with all future requests like this:
$http.defaults.headers.common['RequestVerificationToken'] = 'token should go here';
But I am concerned this may simplify the job of an attacker. They need only get hold of $http in order to make any valid request. Is this the case? Is this method safe? Is there a 'best practice' regarding Ajax requests and CSRF?
Upvotes: 0
Views: 812
Answers (1)
Related Questions
- CSRF protection in a Rest API
- Submitting ASP.NET MVC CSRF token with $http in AngularJS
- CSRF in token based authentication
- Handling CSRF/XSRF tokens with Angular frontend and Drupal 7 backend
- How to setup header for all AJAX requests in AngularJS
- Risk of using a persitent XSRF-TOKEN cookie in Angular
- How does angularjs handle csrf?
- XSRF-TOKEN in Angular
- CSRF and Ajax: Do I need protection?
- Are Ajax requests CSRF safe?