Reputation: 615
CSRF Token Storage by sailsjs
I am working on enterprise solution using sailsjs as nodejs framework. Security is integral part of implementation. Apart from SSL, CORS, we are also using sailsjs CSRF implementation. I am still evaluating how secure is it to use this token. Can anybody guide on following: Where sailsjs stores CSRF token? Is it encrypted? How secure is it to use?
Upvotes: 1
Views: 1488
Answers (1)
Reputation: 73015
You'll need to do some work to validate that your tokens are not accessible to untrusted servers; they should respond only to GET requests, and they should not but accessible via AJAX, nor should CORS headers be enabled.
PillarJS has an excellent readme on CSRF. It says about CSRF tokens:
CSRF Tokens
Alas, the final solution is using CSRF tokens. How do CSRF tokens work?
Server sends the client a token. Client submits a form with the token. The server rejects the request if the token is invalid. An attacker would have to somehow get the CSRF token from your site, and they would have to use JavaScript to do so. Thus, if your site does not support CORS, then there's no way for the attacker to get the CSRF token, eliminating the threat.
Make sure CSRF tokens can not be accessed with AJAX! Don't create a /csrf route just to grab a token, and especially don't support CORS on that route!
The token just needs to be "unguessable", making it difficult for a attacker to successful within a couple of tries. It does not have to be cryptographically secure. An attack is one or two clicks by an unbeknownst user, not a brute force attack by a server.
Also consider this from Sails.js docs which gives a real-world example of how they operate:
CSRF tokens are temporary and session-specific; e.g. Imagine Mary and Muhammad are both shoppers accessing our e-commerce site running on Sails, and CSRF protection is enabled. Let's say that on Monday, Mary and Muhammad both make purchases. In order to do so, our site needed to dispense at least two different CSRF tokens- one for Mary and one for Muhammad. From then on, if our web backend received a request with a missing or incorrect token, that request will be rejected. So now we can rest assured that when Mary navigates away to play online poker, the 3rd party website cannot trick the browser into sending malicious requests to our site using her cookies.
And finally, Sails.js uses the Connect CSRF protection middleware. Tokens are stored on a per-session basis, and therefore are not stored in a database nor is (double) encryption needed. Here's another excellent SO answer on the subject: Why does Express/Connect generate new CSRF token on each request?
Upvotes: 4
Related Questions
- CSRF tokens in React
- sails.js how to get _csrf to use in vuejs
- Express.js csrf token with jQuery Ajax
- Sails JS CSRF Token is different every call
- SailsJS View Layer Separation with CSRF
- CSRF problems with sailsjs
- csrf token using
- How to pass JWT via Header and retrieve data through Server Side Views in Sails.js
- Apply CSRF token constraint selectively on routes for a sailsjs or expressjs app
- How to disable CSRF in a Sails application?