Reputation: 267
Cross Platform CSRF
We have an ASP.Net web application that we are considering moving to another stack like Python or Ruby. We don't want to replace the entire application in one fell swoop and are looking to replace the exposed REST API in pieces. Our thoughts are to run the new web app on the side of the existing .Net app and route some ajax request over as we implement.
My question is: Are there any cross platform CSRF libraries that we can use to validate requests both on the .Net side and also on the Python/Ruby/Node stack?
Ideally once the API endpoint is implemented in the new stack, we'd just point the REST endpoint to the new url.
Upvotes: 0
Views: 71
Answers (1)
Reputation: 33538
You could implement your own using a simple technique such as Double Submit Cookies - the code on both sides should be fairly straight forward and interoperable.
Double Submit Cookies works by setting a random value (hopefully generated by a CSPRNG or by using another unpredictable method) as both a cookie and a hidden form field.
Because any attacker cannot retrieve this value from the hidden form field due to the Same Origin Policy, there is no way that a cross-site request can be sent where cookie value is the same as the hidden form field. Storing the value in cookies negates the need to store anything server-side.
Because this is a simple check and can be achieved in both frameworks easily (pseudocode: if cookie != hidden_field then <reject>), it should be straightforward to implement.
Upvotes: 1
Related Questions
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- Django Rest Framework remove csrf
- What is a CSRF token? What is its importance and how does it work?
- Why is it common to put CSRF prevention tokens in cookies?
- React frontend and REST API, CSRF
- SPA best practices for authentication and session management
- Simple CSRF protection using nginx alone
- AngularJs + Rest Backend CSRF Security
- CSRF Guard - how to validate generated token at server side