We do not need CSRF token in our internal cake PHP application, So how we cane disable it from my application, Please help me
Thanks
Related
I'm developing an app using django rest framework and react. I need to implement csrf token for some of my forms and also jwt refresh token. So these are options that exist for django csrf token handling:
Using {% csrf_token %} before forms in django template.
Adding csrf decorator #ensure_csrf_cookie to a view, to set csrf token as a cookie in response, and then get value of that cookie in react, and add it to my form or request header.
The first option is not possible in my case, because I'm using react instead of django templates.
And second option is not a good idea, because I should request to this specific view (API) to obtain a csrf token, before submitting every form. And also I don't know, in this case, how is gonna django validate csrf tokens properly. I mean, how should django recognize that the passed csrf token has made by the user whose data is being modified! I mean maybe a malicious user request to that view, obtain a valid token, and use that token to modify information of someone else!
So my question is, What is the best way of utilizing csrf tokens in django + react projects?
I am using SLIM Framework (PHP) for Backend and Angular 1 for Frontend.
All APIs work fine until I set Authorization header when user logged in app.
$http.defaults.headers.common.Authorization = token; // Token isvalid
// or
Restangular.setDefaultHeaders({'Authorization': token });
I got the error 405 Method Not Allowed (OPTIONS method). This error from my local, when I deploy Frontend to server, it works fine.
Should I fix on Frontend or Backend? And please help me how to fix it?
Thanks for your help :)
OPTIONS is CORS preflight request. You need to enable CORS support. One way to do it is to use CORS middleware.
i do not know if any body still interested in this topic
but i am going to tell you my approach
i added CORS Options to web config file in my api project and then add
[HttpOptions] attribute to my api method and then it started working
i do not know if it is the right answer or not but until i find the better solution i am going to user this approach
To secure my application and for authentication I'm using Silhouette, I don't know how to manage my csrf filter did silhouette manage csrf tokens automatically or not? if yes why all my $http request (for uploading a file) from angulars are blocked if no what should I do to enable my http request
If you haven't already, check out the example:
https://github.com/mohiva/play-silhouette-angular-seed
Note:
create the Filters.scala class: https://github.com/mohiva/play-silhouette-angular-seed/blob/master/app/utils/Filters.scala
filters are registered in application.conf: https://github.com/mohiva/play-silhouette-angular-seed/blob/master/conf/application.conf#L25
also, they configure filters in the application.conf: https://github.com/mohiva/play-silhouette-angular-seed/blob/master/conf/application.conf#L59
I'm working on an AngularJS webapp with a Laravel backend.
I want to enable CSRF protection with cross-domain requests. Is it possible?
$http reference in "Cross Site Request Forgery" says "The header will not be set for cross-domain requests"
Looking the Developer Tools logs I see that after the $http.post call the preflight request is sent (OPTION verb) and it has the XSRF-TOKEN cookies set, but the POST request has no cookies so I can't do:
$http.defaults.headers.post['X-CSRFToken'] = $cookies['XSRF-TOKEN'];
Any idea?
UPDATE:
#zeroflagL: I tried with
$http.defaults.headers.common.xsrfCookieName = 'XSRF-TOKEN';
$http.defaults.headers.common.xsrfHeaderName = 'X-XSRF-TOKEN';
And now in the Request headers of the POST I have:
xsrfCookieName:XSRF-TOKEN
xsrfHeaderName:X-XSRF-TOKEN
But the CSRF check is not passed (TokenMismatchException on the server).
I suppose that in the Request headers there should be the XSRF-TOKEN to work...
As zeroflagL said CSRF protection can't be applied to cross domain requests.
To reply to my question: no, it's not possible.
I'm working with this stack:
Core API RESTful with Rails 4 and Devise 3.2
Another app/stance with Backbone
I have read many articles, manuals, stackoverflow topics, google random results, blogs, etc, but are all very deprecated.
Using a practical approach (tl;dr here) I just need get a real session between Devise 3 and Backbone in different server stances and holding it, like two separate projects. Remote login, you know.
I'm really stuck with that so I would greatly appreciate your suggestions.
Thank you guys.
Personally I have the same situation in my project with Angular instead of Backbone as a front-end and Rails 4 API with Devise. I will try to sum things up for you in the assumption that I got your question right.
To work correctly with the sessions in your scenario you need to be sure that:
Browsers handle communication correctly (i.e. they don't mess with your data because requests do not comply with CORS policies)
and, your requests get through Rails CSRF protection
Please, read this article about CORS. If you are not familiar with CORS the article should provide necessary background for my answer. Some info about CSRF protection is here
Here is your scenario step-by-step:
Backbone.js sends GET request such as http://yourserver/signin
Rails Server sends session cookie that will be stored in the browser and CSRF token, which can be stored somewhere within your Backbone application.
Backbone.js sends POST request with user credentials (name, password) and CSRF token in headers and current unauthorized session in cookies. It is crucial that request contains session information. Otherwise it will be granted different CSRF token on Rails side and you will get WARNING: Can't verify CSRF token authenticity message.
Backbone.js gets authorized session back if the credentials are correct.
Here is what can be done to get it working:
Rails backend should respond correctly to requests from front-end. Which means it should:
Respond to OPTIONS requests (preflight requests)
Send correct CORS headers
Able to communicate CSRF token with the front-end
Front end should:
Able to send requests with credentials
Obtain and use correct CSRF token
The simplest way to teach your Rails back-end to respond to CORS requests is to use
rack-cors gem. This will also provide correct CORS headers.
config.middleware.insert_before Warden::Manager, Rack::Cors do
allow do
origins '*' # it's highly recommended to specify the correct origin
resource '*',
:headers => :any,
:methods => [:get, :post, :options], # 'options' is really important
# for preflight requests
:expose => ['X-CSRF-Token'] #allows usage of token on the front-end
end
end
Last thing on a backend side is to provide CSRF token. Custom Devise controller should handle this task perfectly.
class SessionsController < Devise::SessionsController
after_action :set_csrf_header, only: [:new, :create, :destroy]
#...
protected
def set_csrf_header
response.headers['X-CSRF-Token'] = form_authenticity_token
end
end
Note that you need CSRF token when you send first GET request (new), when you submit credentials through POST request (create) and when you sign out of your application by sending DELETE request (destroy). If you don't send CSRF token on sign out you won't be able to sign in without reloading the page.
And somewhere in config/routes.rb don't forget to specify that you are now using custom controller:
/config/routes.rb
devise_for :users, :controllers => {:sessions => "sessions"}
Now, to the front-end. Please, have a look at this script that overrides standard Backbone.sync and handles communication with Rails server.
It is almost good with couple of corrections needed:
beforeSend: function( xhr ) {
if (!options.noCSRF) {
// we dont have csrf-token in the document anymore
//var token = $('meta[name="csrf-token"]').attr('content');
// New Line #1
// we will get CSRF token from your application.
// See below for how it gets there.
var token = YourAppName.csrfToken;
if (token) xhr.setRequestHeader('X-CSRF-Token', token);
// New Line #2
// this will include session information in the requests
xhr.withCredentials = true;
}
//..some code omitted
//................
// Trigger the sync end event
var complete = options.complete;
params.complete = function(jqXHR, textStatus) {
// New Lines #3,4
// If response includes CSRF token we need to remember it
var token = jqXHR.getResponseHeader('X-CSRF-Token')
if (token) YourAppName.csrfToken = token;
model.trigger('sync:end');
if (complete) complete(jqXHR, textStatus);
};
}
I'm not sure this qualifies as a complete answer to your question, but at least it is something to start from. It might not be the best way, but it is the way. Let me know if you have any questions.