CSRF 攻击是否适用于 API? [英] Do CSRF attacks apply to API's?

问题描述

我正在编写一个 Django RESTful API 来支持 iOS 应用程序，每当我编写处理 POST 请求的方法时，我都会遇到 Django 的 CSRF 保护.

I'm writing a Django RESTful API to back an iOS application, and I keep running into Django's CSRF protections whenever I write methods to deal with POST requests.

我的理解是，iOS 管理的 cookie 不会被应用程序共享，这意味着我的会话 cookie 是安全的，没有其他应用程序可以利用它们.这是真的?如果是这样，我可以将我所有的 API 函数标记为 CSRF-exempt 吗?

My understanding is that cookies managed by iOS are not shared by applications, meaning that my session cookies are safe, and no other application can ride on them. Is this true? If so, can I just mark all my API functions as CSRF-exempt?

推荐答案

这不是 CSRF 保护的目的.CSRF 保护是为了防止将数据直接发布到您的站点.换句话说，客户必须通过批准的路径实际发布，即查看表单页面，填写它，提交数据.

That's not the purpose of CSRF protection. CSRF protection is to prevent direct posting of data to your site. In other words, the client must actually post through an approved path, i.e. view the form page, fill it out, submit the data.

API 几乎排除了 CSRF，因为它的全部目的通常是允许第三方实体访问和操作您站点上的数据(CSRF 中的跨站点").所以，是的，我认为作为规则，任何 API 视图都应该是 CSRF 豁免的.但是，您应该仍然遵循最佳实践，并通过某种形式的身份验证(例如 OAuth)保护实际进行更改的每个 API 端点.

An API pretty much precludes CSRF, because its entire purpose is generally to allow 3rd-party entities to access and manipulate data on your site (the "cross-site" in CSRF). So, yes, I think as a rule any API view should be CSRF exempt. However, you should still follow best practices and protect every API-endpoint that actually makes a change with some form of authentication, such as OAuth.

这篇关于CSRF 攻击是否适用于 API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！