CSRF验证需要或使用REST的API的时候呢? [英] CSRF validation needed or not when using RESTful API?
问题描述
时,写在FOSRestBundle的页面的下列
CSRF验证
在建立一个单一的应用程序,都应该通过HTML形式,以及通过REST API处理形式,一种运行与CSRF令牌验证出现问题。在大多数情况下,有必要让他们为HTML表单,但它是没有意义的使用他们的REST API。由于这个原因,是一种形式的扩展禁用跨站请求伪造验证用户具有特定的作用。当然,这需要REST API用户进行身份验证自己并获得分配一个特殊的角色。
<一个href="https://github.com/FriendsOfSymfony/FOSRestBundle/blob/master/Resources/doc/2-the-view-layer.md#csrf-validation" rel="nofollow">https://github.com/FriendsOfSymfony/FOSRestBundle/blob/master/Resources/doc/2-the-view-layer.md#csrf-validation
这是解释是否正确?你能解释为什么它是正确的吗?
感谢您!
CSRF令牌验证实际上并不用于实现基于REST的Web服务,因为它违反了REST的初始原则( REST是无状态的没有客户上下文,被保存在服务器侧)。而不是一个可以检查Referer头(它不需要每用户状态)和自定义的头字段也许一些组合和GET参数。如果你的API是不公开的,那么你应该使用一个API密钥的身份验证和OAuth的。
The following is written on the of the page of FOSRestBundle:
"CSRF validation
When building a single application that should handle forms both via HTML forms as well as via a REST API, one runs into a problem with CSRF token validation. In most cases it is necessary to enable them for HTML forms, but it makes no sense to use them for a REST API. For this reason there is a form extension to disable CSRF validation for users with a specific role. This of course requires that REST API users authenticate themselves and get a special role assigned."
Is this explanation correct? Could you explain why it's correct?
Thank you!
CSRF token validation is not actually used for implementing RESTful Web Services, because it violates the initial principles of REST (REST is stateless, there is no client context, being saved on the server side). Instead one can check the Referer Header (it does not require a per-user state) and maybe some combination of custom header field and GET parameter. If your API is not public, then you should use an API-key based authentication or OAuth.
这篇关于CSRF验证需要或使用REST的API的时候呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
