4

I make this question because in a client server application the server sends the html with different token hidden in form for each request. This token is built on the server by a secret key.

But Angular 2 all forms are already on the client. For a form contain a token that he needs a secret key is in the client, and that to me is already one security breach.

So I ask the question, if it makes sense to use csrf token in Angular 2? If the answer is yes, how could this be done?

rafaelcb21
  • 12,422
  • 28
  • 62
  • 86
  • 1
    Possible duplicate of [How does Angular 2 (beta) handle with XSS or CSRF?](http://stackoverflow.com/questions/36594516/how-does-angular-2-beta-handle-with-xss-or-csrf) – Ricardo Leon Aug 23 '16 at 04:52

1 Answers1

5

Angular 2 includes a CSRF/XSRF mitigation strategy known as the double-submit cookie pattern. From the Angular documentation,

The Angular http client has built-in support for this technique. The default CookieXSRFStrategy looks for a cookie called XSRF-TOKEN and sets an HTTP request header named X-XSRF-TOKEN with the value of that cookie on every request. The server must set the XSRF-TOKEN cookie, and validate the response header for each state modifying request.

So, if you are using the http service, you don't need to do anything extra on the Angular side to get CSRF protection. The server needs to check that the header and cookie values are identical.

Nate Barbettini
  • 51,256
  • 26
  • 134
  • 147
  • Hi Nate, I did a login and sent a form in my app and catch the request that was to the server, and both not find anything with the word `csrf` or `XSRF`. So it appeared cookie but is related to PyCharm. If has by default CSRF protection in Angular 2 how do I activate it? – rafaelcb21 Aug 23 '16 at 05:33
  • 1
    @rafaelcb21 What is your backend? I'd recommend posting a separate question with the details of your backend server environment and any relevant code. – Nate Barbettini Aug 23 '16 at 16:33