0

My application using Asp.Net Web Core 2.0 Web Api and Front UI in angular4. Would like to check Antiforgery before I submit my API to Angular4 developer. I am using fiddler to test all my APIs.

Gone through this topic: Angular2 ASP.NET Core AntiForgeryToken

and applied the same, but don't know how to test it from Fiddler. I think the implementation is based on Cookie whereas to check in Http, I will need it as Http Header.

And the point is how will I get the token then.

Dhruva Patel
  • 19
  • 8
  • Anti-forgery tokens is based on that the request has the cookie value and the authentication token. If you skip the cookie then anyone could just capture the request and the anti-forgery is on – Marcus Höglund Jan 24 '18 at 06:55
  • You and the op in the linked question are confusing a few things. XSRF (Cross Site Rest Forgery, that's what the AntiForgery Request is for) is not the same as cross site scripting. XSRF is when someone puts an url into a picture src url and tries to call code on a site where you are logged in somewhere. whereas cross site scripting tries to inject a script into the page you are visiting so they can gain your cookie or execute specific requests – Tseng Jan 24 '18 at 07:08
  • Antiforgery request is good if you want your application to protect from being posted from somewhere else, i.e. someone making a copy of a form from your website and puts it somewhere else and fills it there with data and post it back to your website. AFRT will protect you here, because the attacker won't have the correct token when posting back and it will be rejected. – Tseng Jan 24 '18 at 08:10
  • If you want prevent **JavaScript** from other domain to call your api, you have to use CORS (Cross-Origin Resource Sharing). This allows you to tell, only specific websites can call your webapi. But remember, this is only valid **for browsers**, since browsers implement the same-origin policy. When calling via http client (C#, Java, Node), CORS won't be validated. With WebAPI you also shouldn't use cookies, as cookies imply a "state". JWT or opaque tokens that are passed with each request are more suitable for WebAPI/RESTful services – Tseng Jan 24 '18 at 08:13

0 Answers0