问题
I have a website that uses Django as the backend. I am now developing an IOS application that connects to the same backend. I am planning to use Oauth2 authentication for login and onwards. However, I just don't know what to do for the registration form. The registration form will POST data like email, username and password.
Since there is no csrf token for the app, it would get a 403 error. If I do csrf_exempt on the registration view, I don't know how secure it would be.
I searched stackoverflow for existing questions but found conflicting answers. Some say csrf protection is needed on the registration form while some say it's not required.
I have a couple questions I would like to ask.
1) What are the best practices for securing such registration forms?
2) If csrf protection is required, how would one go about achieving that?
I would really appreciate it if someone could point me to the right direction as to what should be done to make the registration form secure and what the best practices are.
Thank you.
回答1:
CSRF attacks don't occur from applications that don't act like a browser. Apart from that, the iOS cookie store is not shared between applications. If your iOS application doesn't work like a web-browser, in a way that it allows the user to navigate to different websites, you don't need to worry about CSRF attacks. Your exposed HTTP API (REST, SOAP, whatever) must not require a CSRF token from the mobile application.
回答2:
Mechanize like libraries acts like a real browser, holds caches etc.So if u communicate via something like mechanize u can easily control sessions, csrf tokens etc. Otherwise u can use django's REST applications.
e.g.: http://allseeing-i.com/ASIHTTPRequest/
来源:https://stackoverflow.com/questions/25055218/csrf-protection-on-ios-native-app-registration-form