Rails API design without disabling CSRF protection

前端 未结 2 1468
轮回少年
轮回少年 2020-11-28 23:16

Back in February 2011, Rails was changed to require the CSRF token for all non-GET requests, even those for an API endpoint. I understand the explanation for why this is an

相关标签:
2条回答
  • 2020-11-28 23:55

    Rails works with the 'secure by default' convention. Cross-Site or Cross-Session Request Forgery requires a user to have a browser and another trusted website. This is not relevant for APIs, since they don't run in the browser and don't maintain any session. Therefore, you should disable CSRF for APIs.

    Of course, you should protect your API by requiring HTTP Authentication or a custom implemented API token or OAuth solution.

    0 讨论(0)
  • 2020-11-29 00:06

    Old question but security is important enough that I feel it deserves a complete answer. As discussed in this question there are still some risk of CSRF even with APIs. Yes browsers are supposed to guard against this by default, but as you don't have complete control of the browser and plugins the user has installed, it's should still be considered a best practice to protect against CSRF in your API.

    The way I've seen it done sometimes is to parse the CSRF meta tag from the HTML page itself. I don't really like this though as it doesn't fit well with the way a lot of single page + API apps work today and I feel the CSRF token should be sent in every request regardless of whether it's HTML, JSON or XML.

    So I'd suggest instead passing a CSRF token as a cookie or header value via an after filter for all requests. The API can simply re-submit that back as a header value of X-CSRF-Token which Rails already checks.

    This is how I did it with AngularJS:

      # In my ApplicationController
      after_filter :set_csrf_cookie
    
      def set_csrf_cookie
        if protect_against_forgery?
          cookies['XSRF-TOKEN'] = form_authenticity_token
        end
      end
    

    AngularJS automatically looks for a cookie named XSRF-TOKEN but feel free to name it anything you want for your purposes. Then when you submit a POST/PUT/DELETE you should to set the header property X-CSRF-Token which Rails automatically looks for.

    Unfortunately, AngualrJS already sends back the XSRF-TOKEN cookie in a header value of X-XSRF-TOKEN. It's easy to override Rails' default behaviour to accomodate this in ApplicationController like this:

      protected
    
      def verified_request?
        super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
      end
    

    For Rails 4.2 there is a built in helper now for validating CSRF that should be used.

      protected
    
      def verified_request?
        super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
      end
    

    I hope that's helpful.

    EDIT: In a discussion on this for a Rails pull-request I submitted it came out that passing the CSRF token through the API for login is a particularly bad practice (e.g., someone could create third-party login for your site that uses user credentials instead of tokens). So cavet emptor. It's up to you to decide how concerned you are about that for your application. In this case you could still use the above approach but only send back the CSRF cookie to a browser that already has an authenticated session and not for every request. This will prevent submitting a valid login without using the CSRF meta tag.

    0 讨论(0)
提交回复
热议问题