csrf-protection

问题 I am implementing an API that works either with an API key, or with a CSRF token. The goal is for it to be usable either by a web app (protected by CSRF) or by a third party application (protected by API key). Basically on each request (all via POST), I check if there is an API key. If there is a valid one, it's good to go. If not, I want to fall back to verifying CSRF. Is there a function I can call to verify the CSRF myself? The view itself is @csrf_exempt because API keys need to work. 回答1

问题 If I understand correctly, in a CSRF attack a malicious website A tells my browser to send a request to site B . My browser will automatically include my B cookies in that request. Although A cannot see those cookies, if I'm already authenticated in B the request will look legit, and whatever action was asked will be successfully performed. To avoid this, every time that I visit a page of B containing a form, I receive a CSRF token. This token is associated to my session, so if I make a POST

问题 I'm using Symfony2.1 . It has a builtin CSRF protection for the forms. The error message returned when the CSRF token is invalid is: " The CSRF token is invalid. Please try to resubmit the form ". I show it on the top of the form in my Twig template by using the classic call: {{ form_errors(form) }} How can I change the returned message? In alternative, a more advanced possibility is to catch this error type in order to show a lot of options/links in my Twig template. Any idea? 回答1: Did you

问题 Is it possible to configure CSRF protection in grails3 app using spring-security plugin, I can't find anything except useToken attribute for grails form and then call withForm inside controller. But this is actually not a very flexible solution. I like approach with filter like here 回答1: For csrf protection I reused org.springframework.security.web.csrf.CsrfFilter . You need to define new bean in grails resouces.groovy (See snipet below - csrfFilter bean). You can define your own

问题 I'm trying to create a Facebook Page Tab which points to my website. Facebook sends a HTTP POST request to the url of my website. The problem here is that the server has a built-in CSRF check, and it returns the following error: (Plug.CSRFProtection.InvalidCSRFTokenError) invalid CSRF (Cross Site Forgery Protection) token, make sure all requests include a '_csrf_token' param or an 'x-csrf-token' header` The server expects a CSRF token that Facebook can't have. So, I want to selectively

问题 I am trying to incorporate the CSRFGuard library(< org.owasp csrfguard 3.1.0 >) in order to rectify some CSRF vulnerabilities in an application. However after configuring as specified here I am now getting the below message: Here I would like to explain scenario when I am getting this message - For suppose my application landing page like this And code snippet for this page(HelloWorld.jsp) is <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <%@

问题 I have implemented Spring Security in my application. Whenever someone tries to access any url if authentication is required for these urls user will be redirected to login page. Now, if AJAX call is made for any such url I would like to return JSON response instead of login page's HTML as AJAX response. How can I do that ? 回答1: You have to create json for this i am doing here with .net var url="url"; $.ajax({ type: "get", dataType: "json", data:url, async: true, url: "testCall",//this can be

问题 CodeIgniter gives an error "The action you have requested is not allowed." when it fails the check for CSRF. As I understand it, this means the POST is missing the hidden token from the form that proves that an attack is not being done. The token is generated automatically with a call to the CI form_open function. In my case, I'm using Knockout to post the contents of a ViewModel for saving, like this: ko.utils.postJson($("form")[0], self.pages); I've found solutions elsewhere that simply

问题 I am working on a Rails 5 api project which is used by mobile client with gem devise_token_auth for authorization. I am clear about what the warning means. 1st Question: CSRF protect should be turned OFF for api(JSON/XML)respond , correct? I searched some on web it seems CSRF just happens on web application with cookie. But i read this from rails api document: It's important to remember that XML or JSON requests are also affected >and if you're building an API you should change forgery

问题 In my Spring application in spring security configuration file when csrf is enable (<security:csrf/>) and try to submit login form then Access denied page 403 appear (or) (Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.) exception (when access-denied-handler not present) "But if I don't enable CSRF in spring security configuration file then everything work perfectly." Here my codes when CSRF enable pom.xml (all the versions) <properties> <spring