sails.js enable csrf for browser access and disable csrf for native app access

Question

I'm using sails.js as backend, or, more generally, nodejs.

The admin page of my website is accessed by browser, and yet for all the non-admin users, they should access my backend resource through native mobile app(iOS/Android).

I figured that for native app restful http requests, it is not necessary to enable csrf protection, yet for admin page browser access, it is.

So I wonder if it's possible to enable csrf protection for browser access and disable csrf protection for mobile native app access?

score 3 · Answer 1 · edited May 23 '17 at 11:51

3

You can use different controller/ route to be partially load which endpoint that use CSRF. Look at this answer.

edited May 23 '17 at 11:51

Community

1
1

answered Jul 29 '15 at 09:10

Andi N. Dirgantara

2,050
13
20

1

Yup, I made it done by differentiating all the mobile http requests by adding '/mobile/*' in the front of the url, and then add all the mobile request urls in config/csrf.js like so: routesDisabled: '/mobile/submit_login,/mobile/upload_user_avatar' Although it's weird that routesDisabled doesn't support the wildcard way, i.e. routesDisabled: '/mobile/*' – dulan Jul 29 '15 at 11:34
Thanks @dulan for sharing your solution, I am also looking for doing this. – Noitidart Dec 06 '18 at 03:02

sails.js enable csrf for browser access and disable csrf for native app access

1 Answers1