I've an app with Django as server and Angular in front end.
I know both Django and Angular have in-build support for CSRF (Cross Site Request Forgery) protection.
So from these resources:
http://django-angular.readthedocs.org/en/latest/csrf-protection.html
Django csrf token + Angularjs
I could implement CSRF protection easily.
But unfortunaltely that solutions not working for me.
More digging showed that, it won't work for Cross domains. Well, my Django and Angular will be in same domain after the build, I want to test the CSRF in my development environment.
So my question is, how can I use CSRF in cross-domain (in this scenario)? At least in my dev environment? (http://localhost/)
Thanks in advance.
I think you could simulate domain name by modifying /etc/hosts file ,
please refer to the below link for more information, it will surely solve your problem
https://docs.acquia.com/article/using-etchosts-file-custom-domains-during-development
Related
I'm doing a SPA with Symfony and React JS, and my ask is how can I use the Symfony CSRF Token generator with react to avoid CSRF Attacks?
If you develop an SPA, then you're also building an API on Symfony side. (that's usually what people do)
Since CSRF issue is only related to forms and not APIs (because they usually are stateless), then you just do not manage CSRF issue. If we usually do not have this problem, keep in mind that you still need to deal with it if you use cookies/sessions. If you do so, then I recommand you to read the documentation of the csrf component of Symfony.
More insights here: https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints
I am implementing OWASP in my project and using (angular js and web api) . Can someone please help me to prevent XSS attack in my project. I have used ngsanitize to prevent script injection while inserting code from UI and it is working fine but using fiddler I am able to inject the script through web api.
Can you please help me with the best approach on this.
Thanks in advance.
If you have installed Microsoft.AspNet.WebApi.Cors
then you should be able to restrict your controllers/endpoints by decorating them with
[EnableCors(origins: "http://mywebsite.com", headers: "*", methods: "*")]
This will restrict that controller/endpoint to only accept CORS requests from that site. Have you tried reading Enabling Cross-Origin Requests on the asp.net site?
And to stop XSS you could try some sort of data validation. Have you got any of the code you're using to show how this XXS is being done on your webapi?
i'm developping an app with the ionic framework and a jee + postgresql backend.
I'm actually doubting about the HTTP Requests :
Should i use only jsonp? Or add an Access-Control-Allow-Origin * in my HTTP headers ?
Of course, both of these solutions are working, the second solution seems unsecure to me but i'm not use to mobile requests (without domain-based call/endpoint) so i don't really know what to choose ... i might also miss some other way to do the job ....
Do somebody know how to properly build this kind of communication ?
Thanks you !
If you want to be very flexible and very secure, you might want to implement a JSON Web Token solution. The server issues json web tokens to your users. You can define who gets a token. Then the token must be attached to every request from ionic to your server. The server determines what data to return, if the user is authorized.
For JEE there is this package. For ionic the auth0 repositories are a good study start. You can find many examples online. I think that is the most elaborate solution available, despite might not be easiest to implement.
I have a backend REST app. I'm presently developing the frontend app. Now i have a confusion as to how to setup the frontend app.
Case 1 - Plan to use Spring and have a frontend controller layer that takes care of calling the REST services. But i need to have models and POJOs setup same as in the backend to parse the JSON response. This seems like a overload on frontend. How to go around about this?
Case 2 - Plan to use Angular.js. Then i need to have all my REST URLs in the controller.js which is completely accessible for anyone. That way im totally exposing my REST domain, URL and request format. Is it not a security threat? How to go around about this?
Can you please tell me which case is better and secure and how to resolve the problem attached with it?
Secure your REST endpoints using a scheme like OpenId or OAuth or something else. Spring and numerous other web app frameworks have components to help with such authentication.
AngularJS is a client side framework. You can use Angular along with Spring. They are not mutually exclusive.
Finally, any http request (including RESTful http requests) invoked on a client is easily accessed simply by viewing the network traffic. Chrome, Firefox, along with other browsers provide tools, out of the box, that make this very easy to do. All the more reason to secure those REST endpoints.
I came across with this AngularJs thing, and I thing it is awesome, really solves many problems I confronted while working on my last WebApp with just a few lines of code.
Now, what I didn't find or was looking in bad places is the protection of AngularJs app with SSO (simpleSAMLphp Identity provider). How to deal with this?
What I am going to build will use Pyramid framework as a backend REST API, and AngularJs (I wish) for the frontend. But how to protect the app from unauthorized access, skipping the sso login. Any implementation example or lessons working on similar case would help (may be with php, ruby backends and SSO etc)
I doesn't seem like pyramid has any direct support for SAML authetication. I suggest using a third party application for SAML. For example Shibboleth. The SAML communication is done on the server side so Angular wont need any integration.
Google like 'Authentication in angular JS application' you can get lot to protect your angular app. To protect your REST API use Oauth whether its a php or ruby application.