csrf

Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps

邮差的信 提交于 2021-02-20 15:06:18
问题 I am a bit unclear about how to secure (or protect) bearer tokens when using pure JavaScript applications. I know when user request token to the server it can come with a validity of 14 days or 24 hours. but once the user has token there is no neat (assured) way of securing this from XSS or CSRF attacks (am I missing something?). Now lets say user is logged into the web application and the browser has this token which is valid for 14 days. If the user is accessing another web application

Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps

孤人 提交于 2021-02-20 14:59:28
问题 I am a bit unclear about how to secure (or protect) bearer tokens when using pure JavaScript applications. I know when user request token to the server it can come with a validity of 14 days or 24 hours. but once the user has token there is no neat (assured) way of securing this from XSS or CSRF attacks (am I missing something?). Now lets say user is logged into the web application and the browser has this token which is valid for 14 days. If the user is accessing another web application

Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps

自古美人都是妖i 提交于 2021-02-20 14:58:38
问题 I am a bit unclear about how to secure (or protect) bearer tokens when using pure JavaScript applications. I know when user request token to the server it can come with a validity of 14 days or 24 hours. but once the user has token there is no neat (assured) way of securing this from XSS or CSRF attacks (am I missing something?). Now lets say user is logged into the web application and the browser has this token which is valid for 14 days. If the user is accessing another web application

Flask-WTF set time limit on CSRF token

生来就可爱ヽ(ⅴ<●) 提交于 2021-02-19 03:49:46
问题 I'm currently using Flask-WTF v0.13.1, i have a few forms on my website, all created including the CSRF token. For some reasons i have to set a different expiration on each form, so far i could set manually the time_limit value upon creating the csrf token. I would like to update to the v0.14, according to the changelog time_limit is gone and there is no reference in the docs on how to change it anymore. Looking in the source code i saw that the form has a csrf_time_limit meta parameter. I

Why do _token and XSRF-TOKEN differ in Laravel?

十年热恋 提交于 2021-02-15 06:14:02
问题 I don't understand why is the token for AJAX requests (XSRF-TOKEN) different from a _token that normal forms use. In addition, it's much longer. Why? And why have 2 tokens at all? Why not just use one which would be same for both ajax and normal requests? 回答1: 1 Approach, 2 Technics Laravel Uses 2 distinct Technics to prevent CSRF Attack. The Approaches are The same: to send a token (CSRF or XSRF) to The Client and Client Have to return it back in following request and there are 2 steps:

Why do _token and XSRF-TOKEN differ in Laravel?

江枫思渺然 提交于 2021-02-15 06:09:55
问题 I don't understand why is the token for AJAX requests (XSRF-TOKEN) different from a _token that normal forms use. In addition, it's much longer. Why? And why have 2 tokens at all? Why not just use one which would be same for both ajax and normal requests? 回答1: 1 Approach, 2 Technics Laravel Uses 2 distinct Technics to prevent CSRF Attack. The Approaches are The same: to send a token (CSRF or XSRF) to The Client and Client Have to return it back in following request and there are 2 steps:

Why do _token and XSRF-TOKEN differ in Laravel?

青春壹個敷衍的年華 提交于 2021-02-15 06:09:45
问题 I don't understand why is the token for AJAX requests (XSRF-TOKEN) different from a _token that normal forms use. In addition, it's much longer. Why? And why have 2 tokens at all? Why not just use one which would be same for both ajax and normal requests? 回答1: 1 Approach, 2 Technics Laravel Uses 2 distinct Technics to prevent CSRF Attack. The Approaches are The same: to send a token (CSRF or XSRF) to The Client and Client Have to return it back in following request and there are 2 steps:

CSRF Protection with Flask/WTForms and React

☆樱花仙子☆ 提交于 2021-02-10 18:10:35
问题 Has anyone successfully implemented CSRF protection for a form submitted with React (as a controlled component) to a Flask back-end (ideally with WTForms)? I've seen a lot of partial answers, and one with Django, but couldn't find anything definitive for Flask. My big issue seems to be that I don't know how to send the csrf token to my react front end, store it as a header before submitting my form, then submit my form with the correct token. Any direction would be really helpful. 回答1: So,

Django CSRF_TOKEN issue with Edge only

半城伤御伤魂 提交于 2021-02-10 15:47:07
问题 I'm trying my django application through different browsers (Chrome, Firefox, IE11 and Edge) and I got an issue with the csrf_token and Edge only. This issue is in reference with my django form. My view file : class ManageDocView(AdminRequiredMixin, View): """ Render the Admin Manage documents to update year in the filename""" template_name = 'omcl/manage_doc_form.html' form_class = ManageDocForm success_url = 'omcl/manage_doc_form.html' @staticmethod def get_title(): return 'Change Document

CSRF token on a web page with multiple forms?

房东的猫 提交于 2021-02-08 11:41:48
问题 When CSRF is enabled and a web page has multiple forms, will all the forms have the same csrf token or each form has a unique csrf token? If this is framework dependent, then how does it work in the context of spring security? 回答1: CSRF is not associated with form or something but to associated with each request. Each individual request contains new csrf token. 来源: https://stackoverflow.com/questions/64422918/csrf-token-on-a-web-page-with-multiple-forms