在Spring WebFlow应用程序中防止跨站点请求伪造 [英] Prevent Cross-Site Request Forgery in a Spring WebFlow Application

问题描述

我正在寻找一种（希望很简单）的方式来添加 CSRF 保护基于Spring WebFlow 2的应用程序。

I'm looking for a (hopefully straightforward) way to add CSRF protection to an application build on Spring WebFlow 2.

一种可以很好地迁移到Spring WebFlow 3（发行时）的方法是

An approach that migrates well to Spring WebFlow 3 (when released) is preferred.

推荐答案

阻止CSRF的最简单方法是检查引用 request.getHeader（ referer ）; 以确保请求来自同一域。 CSRF预防速查表

The easiest way to prevent CSRF it to check the referer request.getHeader("referer"); to make sure the request is coming from the same domain. This method is covered by the CSRF Prevention Cheat Sheet.

在内存需求有限的嵌入式网络硬件上经常看到这种CSRF保护系统，摩托罗拉在大多数硬件上都采用了这种方法。这不是最安全的CSRF保护，基于令牌的保护更好，但是xss仍然可以绕过两个系统。基于令牌的CSRF保护的最大问题是返回并修复每个请求都需要花费大量时间，您可能会错过一些请求。

Its common to see this CSRF protection system on embedded network hardware with limited memory requirements, Motorola uses this method on most of their hardware. This isn't the most secure CSRF protection, token based protection is better but both systems can still be bypassed with xss. The biggest problem with token based CSRF protection is that it takes alot of time to go back and fix every request and you will probably miss a few requests.

一种安全的实现方法是检查所有传入的POST请求的引荐来源，并将POST用于敏感功能，例如更改密码，添加用户帐户，执行代码，配置更改。 GET仅应用于导航或搜索，基本上GET对于不会引起状态变化的任何事物都是安全的。

A secure way to implement this is to check the referer on all incoming POST requests, and use POST for sensitive functions like changing passwords, adding user accounts, executing code, making configuration changes. GET should only be used for navigation or searching, basically GET is safe for anything that doesn't cause a state change.

请确保您使用 xss扫描器。

这篇关于在Spring WebFlow应用程序中防止跨站点请求伪造的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！