Johnny John Boy
Reputation: 3283
Is having a CSRF with FastAPI any safer than not?
I've just read this article about Flask and using Svelte frontend with a separate API specifically the section calledFrontend Served Separately (cross-domain)
They are creating a CSRF cookie and header X-CSRFToken and I'm just built something similar using FastAPI.
Is this actually any more secure because couldn't a bad actor:
- Get a user to click on something
- New page calls the CSRF page and sets cookie/header cross domain
- On post the cookie/header are set
I know I must be missing something but I am confused. The code in question is:
@app.route("/api/getcsrf", methods=["GET"])
def get_csrf():
token = generate_csrf()
response = jsonify({"detail": "CSRF cookie set"})
response.headers.set("X-CSRFToken", token)
return response
Upvotes: 0
Views: 35
Answers (0)
Related Questions
- Why is it common to put CSRF prevention tokens in cookies?
- CSRF protection with CORS Origin header vs. CSRF token
- CSRF Double Submit Cookie is basically "not Secure"
- Set cookies for cross origin requests
- Django CSRF Token with Axios
- React frontend and REST API, CSRF
- CSRF Verification fails in production for Cross Domain POST request
- Can this be a strategy to defend csrf? (double submit cookie)
- CSRF and CORS with Django (REST Framework)