csrf

问题 I have already read some topics And the problem I encountered is lies in this piece of code <meta property="csrf-token" name="csrf-token" content="{{ csrf_token() }}"> I'm using Angular2 as core engine, which sending AJAX requests to Laravel API and I'm not using blade templates - just .html files , so I can't call php function csrf_token() from html file So, I added a temporary solution by extending my /var/www/pandacrm/app/Http/Middleware/VerifyCsrfToken.php file public function handle(

问题 CSRF protection is used so that any requests made from other websites cannot affect my website to cause harm. It is said in the spring security csrf documentation that csrf is applied for put post patch delete requests. But according to my understanding, login/signup forms do not need csrf protection, as they already require credentials in the form of username and password and even if such a request is made from another website, there will be no harm as the user will just get logged in. But

问题 Why does www.web.dev and static.web.dev count as the same site, while your-project.github.io and my-project.github.io count as different sites? There's a part from this page (https://web.dev/samesite-cookies-explained/) that is confusing me: Key Term: If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request. The public suffix list defines this, so it's not just top-level domains like .com but also includes services like github.io. That enables

问题 For my project I am trying to make a simple service which can do POST, GET and DELETE requests. I'm not interested in the extra security layer added by CSRF, so I want it turned off. I know that by default it should be off, but it does not seem to behave. Every time I make a post request, it gives me the following output: /users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' o.s.security.web.FilterChainProxy : /users/insert at position

问题 I just read this: same-origin policy allows inter-origin HTTP requests with GET and POST methods but denies inter-origin PUT and DELETE requests What is so special about PUT/DELETE? Why are they blocked? You can do an update/delete inside a POST method anyway. With CORS, why is a POST request preflighted if it uses xml/json rather than application/x-www-form-urlencoded? Please explain why some verbs are treated differently to others. 回答1: The fundamental distinction is between the kind of

问题 In the browser I can see CSRF token in URL which I want to avoid. http://localhost:8080/......./new?someval=val&CSRFToken=1975f761-fb40-4146-ad02-29ba9d5b3cdd The root cause is we are using FORM tag with http method GET. This is being used as some hidden parameters we want to pass to controller for some processing. How to avoid CSRF token in URL. Because I dont want to remove form as it is already tested and will be a testing impact. 回答1: I had the same issue and I changed the submission's

问题 Laravel(backend) and VueJS(frontend created with Vue CLI) are separated, hence have different domains and repositories. I am wondering what is the best way to pass a CSRF token from Laravel to VueJS safely . I've found some old questions here and on Laracasts but they are either irrelevant, outdated or have no answer. Here are a few: Pass csrf token from Laravel to Vue Creating a sign up token for Laravel app from separate frontend app (Laracasts forum) CSRF in separate angular app I am aware

问题 I'm wondering if it would be best practice to use a clients fingerprint as JWT-secret for encoding. However I couldn't find anything in the WWW concerning this question, but so far it makes sense to me to do it. I'm thinking about generating a fingerprint client-side with JavaScript and sent it to the API with every call. The API should then use the fingerprint with a hard coded secret together for encoding and decoding the token. Isn't this a good method to prevent CSRF? Or am I missing out

问题 I want to simulate login with curl in php with csrf token. I know the token is refreshed every session and I need to use the same cookie and I do it like this: <?php use Symfony\Component\DomCrawler\Crawler; require 'vendor/autoload.php'; function login($url,$data){ $login = curl_init(); curl_setopt($login, CURLOPT_COOKIEJAR, "cookie.txt"); curl_setopt($login, CURLOPT_COOKIEFILE, "cookie.txt"); curl_setopt($login, CURLOPT_TIMEOUT, 40000); curl_setopt($login, CURLOPT_RETURNTRANSFER, TRUE);

问题 I am trying to set up session cookies in my Node server, which is the backend for an Electron app. I am trying to follow this guide. https://firebase.google.com/docs/auth/admin/manage-cookies The first thing I am confused about is where this function comes from in the "Sign In" section: const csrfToken = getCookie('csrfToken') Is 'getCookie' a function I am supposed to write myself? I am also not fully following the logic of the "create session cookie" snippet: const csrfToken = req.body