0

I'm in the process of creating a Laravel API/AngularJS Monster. The idea of completely separating them out (Frontend, DB, API) was mainly because I wanted to get into app development and keep all things separate so the API could do all the grunt work. So in the future I intend on making interfaces of which I'll be the only one using including OS X/iOS/Native apps.

However I'm looking on stuff online and following some setups and tutorials and I'm seeing that CSRF is a good thing to implement, seems secure and the right thing to do...

But is it necessarily right for an API?

What security measures would be good for using an API?

The only thing I really know anything about implementing right now is Session cookies and using HTTPS throughout my application(s).

  • I personally would not forge my own site cross-site requests... It's generally not recommended to attack yourself. – PW Kad Oct 08 '14 at 03:38
  • Who is calling your API? How do they authenticate? Do you use session cookies? – Thilo Oct 08 '14 at 03:38
  • The only reason I am thinking this route is because I would like to create interfaces on many different platforms using the same information. Is there a much better solution to this problem? –  Oct 08 '14 at 03:40
  • Right now authentication is done through Laravel's standard Authentication model, not the basic auth. I have not set up session cookies at all. –  Oct 08 '14 at 03:40
  • @PWKad what would you recommend best for contacting an API server that lives on a su domain? –  Oct 08 '14 at 05:27
  • @Thilo I'm urgently in the process of implementing session cookies to prevent any sort of u authenticated requests. I'll be only one talking to this API through different mediums utilizing HTTPS. –  Oct 08 '14 at 05:29

1 Answers1

1

If the API is accessed client-side, then yes, you need CSRF protection.

This assumes that cookies (or another authentication mechanism) is used from the front-end, is passed to your API from JavaScript and then actions are initiated, or content returned.

For the items that initiate action (i.e. non safe methods - RFC 7231) you will need to send some sort of CSRF token (e.g. Synchronizer Token Pattern which is recommended, or Double Submit Cookies), although there are other valid methods for preventing CSRF such as checking for X-Requested-With or Origin headers.

Whichever method you choose, you would be able to also implement this authentication in your apps. From a custom application retrieving the token or cookie value is trivial, or passing an extra header is easy too. What makes this CSRF protection work for your website is that the browser will restrict which other domains can read tokens or send headers because of the Same Origin Policy. If your API is on a different domain, CORS can be used to allow access from your website domain only, although it sounds like you're already past this stage. Remember to protect your API with HTTPS also, and set the Secure flag on any cookies, and you should also think about using HSTS to further secure your API and website.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • This is definitely a lot for me to look into, thanks! What exactly do you mean by "IF the API is accessed client-side"? The wording doesn't confuse me, however the front-end is entirely javascript with Angular and has no PHP to do a simple csrf_token() method. It seems like there's no other way to access a token for the same session. –  Oct 09 '14 at 15:31
  • 1
    @ShawnStrickland: I was speaking generally in case other people googled and found your question - for your case the answer is yes. – SilverlightFox Oct 09 '14 at 15:34