I'm using nuxt for front-end, phoenix/elixir for API server, and nginx for reverse-proxy.
I've hit the wall when I tried to make a form for uploading files.
How do I work with the csrf?
Asked
Active
Viewed 1,363 times
1
Sheharyar
- 73,588
- 21
- 168
- 215
HelloWorld
- 973
- 2
- 9
- 23
-
I posted two answers, one that disables CSRF and another that uses it – Sheharyar Dec 12 '18 at 09:11
3 Answers
5
Use CSRF
CSRF provides a lot of security benefits, especially for session-based web applications, so it might make sense for you to keep using it (if you aren't using something like auth-token instead). This can usually get a bit complicated in frontend SPAs, but the basic process is to:
Render the CSRF token (usually in a hidden field or JS variable) using
get_csrf_token/0on your webpage on the initial requestRead the value and send it back to the server in the
X-CSRF-TOKENrequest header in your subsequent ajax callsRegenerate a new CSRF token on the server after sometime and send it back in the response headers of an existing request or in the response of a dedicated request just for the token
Save it in your webapp for the next non-
GETrequest
(Assuming that your SPA isn't a completely separate frontend project and is atleast partially server-rendered)
Here are some other resources:
- Information Security: CSRF protection and Single Page Apps
- HexDocs: Plug.CSRFProtection
- Blog Post: Elixir, Phoenix and CSRF
Sheharyar
- 73,588
- 21
- 168
- 215
-
I'm using cookie-session, doesn't cookie-session offer enough security? – HelloWorld Dec 12 '18 at 11:21
-
Depends on your use-case, but the short answer is 'No'. To make things easier for SPAs, I would personally recommend to disable CSRF, and instead use auth tokens. You should explicitly send the auth token in request header for each ajax call you make. – Sheharyar Dec 12 '18 at 23:17
-
Two ways to go: a) If it's a completely separate SPA, auth token would be the better choice. b) If the frontend is server-rendered with a few Nuxt/Vue components sprinkled at different places, then stick with CSRF. – Sheharyar Dec 12 '18 at 23:26
-
0
Disable CSRF
If you aren't using sessions in your phoenix-framework API server (and using something like auth tokens, for example), the simplest option would be to disable CSRF. You can do that by removing the :protect_from_forgery plug from your Router pipeline:
pipeline :browser do
plug :accepts, ["html"]
plug :fetch_session
plug :fetch_flash
# plug :protect_from_forgery ## REMOVE THIS
end
Note: SPAs generally use the :api pipeline, where this is excluded by default
Sheharyar
- 73,588
- 21
- 168
- 215
0
If you're only interacting with your backend via AJAX, you can disable CSRF protection in favour of requiring a custom request header, per OWASP's advice.
Tobias Fünke
- 2,034
- 3
- 24
- 38