Reputation: 585
Is it safe to use a custom required HTTP header as a protection method from the CSRF for an API?
I have a JSON API built for a SPA which accepts only requests with "Accept: application/json" header. So submitting the following form in the browser will cause "Not Acceptable." HTTP error.
<form method="POST" action="https://api.example.domain/resource">
<input type="password" name="password" value="CSRF">
<input type="submit" value="Click!">
</form>
Is it means that the API has an immune to CSRF types of attack or am I missing something?
Upvotes: 1
Views: 1483
Answers (2)
Reputation: 1593
I don't think it will be secure because you can't implement all the prevention methods at a time. Of course adding the CORS support, HTTP Only flags and other methods might prevent you from getting hacked but you are not completely safe.
Instead of re-inventing the wheel by implementing all the prevention methods, I think its better to use an existing standard wrapper or middleware to prevent CSRF attacks on your application. These piece of codes sanitizes the input a lot more better than you can do.
You can use one of the best (my favorite wrapper), https://github.com/ring-clojure/ring-anti-forgery to prevent the CSRF attacks. If you are using node for your backend purposes here is another best middleware, https://github.com/expressjs/csurf .
I won't say its impossible to code whole thing by yourself to prevent CSRF attacks, but I think its smart way to use the existing standard pieces of code and focus on developing the functionalities will save a hell lot more of time.
Upvotes: 1
Reputation: 341
It should be quite secure, but still, there's a chance that the API is vulnerable.
If an attacker could find an XSS vulnerability in the website he could be able to add the header: Accept: application/json using JavaScript and then perform the CSRF attack.
For that reason, the recommendable is to rely on some headers that can't be set by JavaScript because they are on the 'forbidden' headers list, only browsers can modify them so no XSS vulnerability can be used in here.
You will find more information in OWASP: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Upvotes: 3
Related Questions
- CSRF Token in REST API with authentication
- CSRF - Is it safe to ask it with api call?
- Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?
- JSON API and CSRF
- Custom HTTP Header, does it violate the RESTful Architecture
- API CSRF protection
- Is it safe to include a CSRF token for a REST service as a Http Response Header?
- CSRF Protection with Custom header other than X-Requested-By
- Is it safe to set an anti-CSRF token on $http for Ajax requests?
- CSRF security risks if Validation token in header instead of POST body