1

Context: I’m using Angular 1.6 (served from s3) + Express.js (API), domain is the same, authentication is done via JWT token in Authorization header, almost all communication is via ajax/xmlhttp requests, no cookies are sent together with request/response, API is open for cross domain requests.

Problem: I need to add CSRF protection. 90% of API requests are ajax but I also have several places where I use regular HTTP POST call using …

What I have learned till now: If to be short ,what I got from a lot of articles is that first layer of defense against CSRF is setting up correct CORS, then I can also use double cookie check and finally Synchronize Token

What I plan to do: Add GET /csrf api route, call it on app start, store token in Redis for user:sessionId key, return it to client and use it as header for ajax requests and add it as a hidden field to s

Question: Is it a correct way of doing Synchronize Token type of defense? Does it make sense to add /csrf api endpoint if I haven’t configured CORS for the API? (it’s a bit complicated to configure CORS now since there are clients who use API from different domains)

Igor Pomogai
  • 141
  • 6
  • Usually, the csrf cookie for single page app is sent with the index.html and does not deserve its own API endpoint. maybe [this question](https://stackoverflow.com/questions/43364213/ng2-get-csrf-token-from-cookie-post-it-as-header/43365939#43365939) will hep you. – n00dl3 Sep 25 '17 at 12:34
  • @n00dl3, thank you, now I understand that I should follow cookie-to-header approach, but the only issue is that index.html is stored on AWS S3 bucket and is completely separate from API. So the only way I can get a token to the frontend is by receiving it via ajax call in the response body and put it in cookies on frontend. do you think this will work? – Igor Pomogai Sep 25 '17 at 13:38
  • IMHO that endpoint is not a problem if you have no choice . – n00dl3 Sep 25 '17 at 14:09
  • @n00dl3 ok, thank you – Igor Pomogai Sep 25 '17 at 14:18

0 Answers0