csrf

问题 I have read many articles about CSRF protection (this is a good one) and various questions here on SO, but none of them seem to be informative enough to answer my question. I am developing my own CMS and I want to secure my login and comment forms. I am going to allow anonymous users to comment on my website. All of the forms on my website are secured using tokens. I already know about that approach, but the problem is that it needs an active session (that is, after the user logs in). The

问题 On my rails app, on all pages, in the head section there are these 2 meta tags: <meta name="csrf-param" content="authenticity_token" /> <meta name="csrf-token" content="027GUZBeEkmv..." /> On forms not rendered using a partial there is a hidden authenticity_token field <input type="hidden" name="authenticity_token" value="D5TddQruJppDD3..." /> But this field misses if I simply load the form like this: <%= render 'shared/comment_form' %> Is this expected behavior ? Should I manually add an

问题 In my Laravel 5.4, I use the following code in my ajax using jQuery: $.ajax({ url : 'http://example.com/addmember', method : 'POST', headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') }, beforeSend : function() {}, data : $('#theForm').serialize(), success : function(response) { // I do something here }, error : function(e) { console.log(e); }, complete : function(c){ } }); I sometimes get a token mismatch exception like so: I generally get this error when the user stays

问题 I am creating a django rest api, and I'm trying to send JSON data via PUT request from an Android device, using HttpUrlConnection. URL url = new URL(myurl); conn = (HttpURLConnection) url.openConnection(); conn.setReadTimeout(10000 /* milliseconds */); conn.setConnectTimeout(15000 /* milliseconds */); conn.setRequestMethod("PUT"); conn.setDoInput(true); conn.setDoOutput(true); conn.setRequestProperty("Content-Type", "application/json; charset=UTF-8"); conn.setRequestProperty("Accept",

问题 I understand that the Django's comments framework was designed for anonymous public comments like you commonly see below a blog or an artcile. In other words, anyone can post comments. I am using the comments framework for only allowing logged in users to display comments. What I did was modify the form.html and hid the name , URL , and email field (leaving the security fields intact). So pretty much the user only sees a comment field. I wanted to use Django's comments since it already has

问题 From http://sporcic.org/2012/10/csrf-with-nodejs-and-express-3: app.use(express.csrf()); app.use(function(req, res, next){ res.locals.token = req.session._csrf; next(); }); app.use(app.router); To make use of above protection, does it mean I should put hidden _csrf hidden input in ALL of my forms including admin-only pages? 回答1: One option is to add a hidden input field to all your forms as you mention. But according to the Express docs on csrf: The default value function checks req.body

问题 Previously I used a gem which provided a controller for accepting external services to POST some data into our app. However in Rails 5.2 it stopped working. When the endpoint is triggered, it raises ActionController::InvalidAuthenticityToken error. 回答1: For Rails before 5.2, the generated ApplicationController will call protect_from_forgery , meaning POST,PUT,DELETE actions are checked for authenticity. New Rails 5.2 projects will by default check authenticity token for any subclass of

问题 Is there a way to disable CSRF for all controllers, or does it have to be disabled on a per-controller basis? I am using ruby on rails as an API only and do not need any sort of CSRF as the requests aren't anywhere near session based. I'd like to disable just for JSON requests. I believe this might work, but am unsure class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. protect_from_forgery

问题 Why generated CSRF protection token is not saved and used via SESSION like suggested here? Currently in CI2, the CSRF protection mechanism (in Security class) is such: 1.generate a unique value for CSRF token in _csrf_set_hash() function: $this->csrf_hash = md5(uniqid(rand(), TRUE)); 2.Insert that token into form hidden field (using form_open helper) 3.A user submits the form and a server gets the token via POST. The CI performs token verification in "_sanitize_globals()" function in Input