使用自定义必需的HTTP标头作为来自CSRF的API保护方法是否安全? [英] Is it safe to use a custom required HTTP header as a protection method from the CSRF for an API?

问题描述

我有一个为SPA构建的JSON API，该SPA仅接受带有"Accept:application/json"标头的请求.因此，在浏览器中提交以下表单将导致不可接受". HTTP错误.

I have a JSON API built for a SPA which accepts only requests with "Accept: application/json" header. So submitting the following form in the browser will cause "Not Acceptable." HTTP error.

<form method="POST" action="https://api.example.domain/resource">
    <input type="password" name="password" value="CSRF">
    <input type="submit" value="Click!">
</form>

这是否意味着该API可以抵抗CSRF类型的攻击，或者我错过了什么?

Is it means that the API has an immune to CSRF types of attack or am I missing something?

推荐答案

它应该很安全，但是仍然有可能该API容易受到攻击.

It should be quite secure, but still, there's a chance that the API is vulnerable.

如果攻击者可以在网站上找到XSS漏洞，则可以添加标头:Accept: application/json使用JavaScript，然后执行CSRF攻击.

If an attacker could find an XSS vulnerability in the website he could be able to add the header: Accept: application/json using JavaScript and then perform the CSRF attack.

由于这个原因，推荐的做法是依靠一些JavaScript不能设置的标头，因为它们位于禁止"标头列表中，只有浏览器可以修改它们，因此此处不能使用XSS漏洞.

For that reason, the recommendable is to rely on some headers that can't be set by JavaScript because they are on the 'forbidden' headers list, only browsers can modify them so no XSS vulnerability can be used in here.

您将在OWASP中找到更多信息: https://www .owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

You will find more information in OWASP: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

这篇关于使用自定义必需的HTTP标头作为来自CSRF的API保护方法是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！