Reputation: 8492
Disabling CSRF in my web app or a safer approach
I'm creating a web app in Laravel, but CSRF is killing its ajax functionality.
The submission of the token with ajax works fine, using ajaxSetup I can attach the token to every request, so no problem with this part.
But every time the user leaves the browser window for too long (perhaps a couple hours or more) ajax requests start returning error 500 (token mismatch) - perhaps the server updates the token and the client keeps the old one, forcing the user to refresh the page to keep it functional, something I don't want to do.
So I was thinking of creating some sort of ajax timer to get the updated csrf token from the server every once in a while.. but it seems a bit of a hackish solution, and maybe even useless? (if I'm serving the token, someone can request it and still do a csrf attack, right?)
To solve this issue once and for all, I would have to do something more risky, disabling CSRF completely for ajax calls. My question is: Could this really hurt my security that bad? I've seen many people recommending to turn it off, but it seems like a big deal if someone can cross-request sensitive actions on a user account (such as delete account or something like this)
What would you guys recommend? This issue is keeping me awake a night :/
Upvotes: 1
Views: 139
Answers (1)
Reputation: 9753
I have only on option in mind for now...
You can start looking at CORS configurations on your application.
Changing Access-Control-Allow-Origin headers for few routes. reference
Upvotes: 1
Related Questions
- How to setup CSRF in JavaScript for laravel?
- Is my CSRF protection method secure?
- Angular2 and Laravel CSRF protection
- What are some alternatives to CSRF tokens in Laravel?
- How to get through CSRF Protection with Ajax in Laravel 5.2
- Laravel CSRF protection with REST API
- Disable Csrf for ajax query
- Is it safe to turn off csrf in laravel?
- Which is the better way to setup CSRF protection in Laravel?
- CSRF risk in Ajax