CSRF Token request security

Question

A Drupal website that my company is maintaining has a REST endpoint, using Drupal Services (likely not that relevant). One of the systems that I'm writing has to write changes in the system to that website over REST. To do this, we first have to 'login' to the system, for which we get a session token and id, and then have to get a CSRF token from this same website. To get this token, we have to make a request to the website, giving the token and id we got earlier. After this, we can use the token and id, combined with the CSRF token, to make edit requests.

But why does having to request this CSRF token first make this system any more secure?

Answer 1

If the REST API is used by web clients also, the CSRF token will be required to protect it against CSRF.

As noted, this makes it cumbersome to be used in a server side fashion. They could introduce a flag on their back end to indicate whether an account is using the API server-side or client-side, and only require the token for client-side usage.

Answer 2

This is an odd use of a CSRF token, they are mainly used to stop a 3rd party site submitting form data to a sites form endpoint. As the token is issued as it renders the form. Then, when users POSTs, it will check if token is correct. It does this via a cookie.

But in your case it must be used to authenticate the REST calls, because the login id must remain the same over different sessions therefore someone sniffing this could fake calls with that id. So the token is used instead of passing the login password each time (which would be a bad idea).