csrf

Ajax CSRF 403 forbidden codeigniter

时间秒杀一切 提交于 2020-01-01 05:35:12
问题 Hello I am calling controller to get section using AJAX in my codeigniter based app which have CSRF Enable my ajax code $('#classes').change(function(){ $classes=$(this).val(); $.ajax({ type:"POST", data:{ '<?php echo $this->security->get_csrf_token_name(); ?>' : '<?php echo $this->security->get_csrf_hash(); ?>', 'class':$classes }, url:"<?php echo base_url();?>index.php/admin/getsection/"+$classes, success:function(return_data) { //alert(return_data); $('#section').html(''); $('#section')

Node.js use csurf conditionally with express 4

与世无争的帅哥 提交于 2020-01-01 05:24:11
问题 I try to use csurf on just a few routes in my express app. that's the approach: var express = require('express'); var session = require('express-session'); var csrf = require('csurf'); // some more stuff var csrfExclusion = ['/myApi','/unsecure']; var app = express(); var conditionalCSRF = function (req, res, next) { if (csrfExclusion.indexOf(req.path) !== -1){ next(); } else{ csrf(); } }); app.use(conditionalCSRF); even tried: var conditionalCSRF = function (req, res, next) { if

Playframework with CSRF : “CSRF token not found in session”?

非 Y 不嫁゛ 提交于 2020-01-01 04:54:11
问题 I'm making a simple authentication system using Playframework with their built-in CSRF filter and Security.Authenticator system, but I'm facing a problem : When the user fill his login/password and submit enter, I have the following error : CSRF token not found in session I checked my form and the CSRF token is really present and correctly placed (inside the tag) Here is my routes : GET /login controllers.Authentication.login POST /login controllers.Authentication.authenticate And my

Why is my CSRF token empty when using Form::open()?

泄露秘密 提交于 2020-01-01 04:54:09
问题 I am just starting out so please forgive me. I have a solid grasp on CodeIgniter, so I understand what is going on. However, I am noticing that my CSRF token is empty when I am creating a form. I am working through the laracasts videos to get a gasp on Laravel workflow. myfile.blade.php {!! Form::open((array('action' => 'MyController@method'))) !!} ... {{!! Form::close() !!}} Here is what I am getting when I view the source: <form method="POST" action="http://mysite.dev/route" accept-charset=

Securing Single-page-application from CSRF and XSS using CSP + localStorage

馋奶兔 提交于 2020-01-01 00:40:39
问题 I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF attacks. Explanation: It has been suggested many places, for example here to use cookies on top of localStorage while storing the auth-token. A very nice explanation is also provided in answer of another question here. Based on these answers, for secured contents, it is suggested to use cookies with ‘httpOnly’ and ‘secure’ options to avoid XSS; and

How to protect against CSRF when using Backbone.js to post data?

余生长醉 提交于 2019-12-31 17:38:32
问题 Backbone.js handles posting data to server under the hood, so there is no easy way to insert a CSRF token in the payload. How can I protect my site against CSRF in this situation? In this SO answer: https://stackoverflow.com/a/10386412/954376, the suggestion is to verify the x-Requested-By header to be XMLHTTPRequest. Is this enough to block all CSRF attempts? In Django docs, the suggestion is to add CSRF token in another custom header in every AJAX request: https://docs.djangoproject.com/en

Why CSRF token should be in meta tag and in cookie?

纵然是瞬间 提交于 2019-12-31 08:29:29
问题 What's the need of to put CSRF token name and value inside <head> tag using <meta> like: e.g: <meta content="authenticity_token" name="csrf-param" /> <meta content="4sWPhTlJAmt1IcyNq1FCyivsAVhHqjiDCKRXOgOQock=" name="csrf-token" /> I've read about concept to keep CSRF value in cookie but does not find about why to keep inside <head> tag. 回答1: To prevent CSRF you need a value that is submitted with the request that cannot be sent by a malicious site. Authentication cookies are not suitable

Django的csrf中间件

核能气质少年 提交于 2019-12-31 04:33:11
csrf中间件 ​ csrf 跨站请求伪造 ​ 补充两个装饰器: ​ from django.views.decorators.csrf import csrf_exempt,csrf_protect ​ csrf_exempt 给视图加上装饰器后,当前的视图不需要CSRF校验 ​ csrf_protect 给视图加上装饰器后,当前的视图需要CSRF校验 process_request: 从cookie中获取csrftoken的值 —— 》 request.META['CSRF_COOKIE'] process_view 视图函数加上csrf_exempt装饰器,不进行CSRF校验 请求方式 是'GET', 'HEAD', 'OPTIONS', 'TRACE' 也不进行校验 csrf_token = request.META.get('CSRF_COOKIE') # cookie中获取csrftoken的值 # 获取提交的csrfmiddlewaretoken的值 request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') 如果或许不到csrfmiddlewaretoken的值 再尝试从请求头中获取X_CSRFTOKEN的值 —— 》request_csrf_token request_csrf_token 和

django中间件 csrf auth认证

限于喜欢 提交于 2019-12-31 04:32:33
django中间件 能做全局访问频率限制,身份校验,黑名单,白名单 用法: 新建一个文件夹,文件夹新建一个py文件,文件中写如下代码 注意点:你写的类必须继续MiddlewareMixin from django.utils.deprecation import MiddlewareMixin from django.shortcuts import HttpResponse,render class MyMiddleWare(MiddlewareMixin): def process_request(self,request): print('我是第一个自定义的中间件中process_request方法') # return HttpResponse('我是第一个中间件里面返回的对象') # return render(request, 'index.html') # process_request方法默认不返回HttpResponse对象,如果返回了 # 后续的中间件都不会再走,而是直接同级别走process_response方法 def process_response(self,request,response): print('我是第一个自定义的中间件中process_response方法') return response django允许用户自定义中间件

Why `init` of shim in my require.js configuration not called?

筅森魡賤 提交于 2019-12-31 03:18:00
问题 Update : I was writing a small module to handle this csrf token problem in backbone until I got push notification of @Louis's answer. His answer is quite elegant and seems nice, but I'll leave a link to my backbone.csrf module github repo just for anyone who needs it. ==================================================================== I'm using Backbone as my frontend framework along with my Django backend. I had to configure my Backbone.sync to set CSRF request header for every single AJAX
订阅 csrf