单独使用Nginx进行简单的CSRF保护 [英] Simple CSRF protection using nginx alone

问题描述

我有一台nginx服务器，可提供普通的HTML和JS文件。

I have an nginx server serving plain HTML and JS files.

然后js代码调用各种REST API来从API服务器获取/发布数据。

The js code then calls various REST API to GET/POST data from API servers.

如果nginx收到对/ api /位置的请求，它将转发该请求到另一个处理所有API的服务器。这个api服务器是在Ruby on Rails中构建的。

If nginx receives a request for /api/ location, it forwards the request to another server which handles all the APIs. This api server is built in Ruby on Rails.

由于我所有的纯HTML页面都是直接由nginx交付的，因此在呈现它们时我无法进行服务器端会话。

Since all my plain HTML pages are delivered by nginx directly, I cant have server side sessions while they are rendered.

如何防止CSRF攻击？

What can I do to prevent CSRF attacks?

推荐答案

CSRF令牌要求攻击者从您的域中读取值才能发送请求。

The point of CSRF tokens is to require attackers to read a value from your domain in order to send requests.

因此，您可以在API中拥有单独的终结点，该终结点仅返回CSRF

Therefore, you can have a separate endpoint in the API that simply returns a CSRF form token.

由于相同的来源政策，攻击者将无法读取令牌（出于相同的原因，他们无法从HTML源读取令牌） ），这样您就会安全。

这样的缺点是需要额外的HTTP请求。

Attackers will not be able to read the token due to the same-origin policy (for the same reason that they can't read a token from HTML source), so you will be safe.
This has the disadvantage of requiring an extra HTTP request.

此外，请确保响应不是有效的Javascript，否则攻击者可以将其作为< script> 标签运行，并使用原型&属性提示读取值

Also, make sure that the response is not valid Javascript, or attackers can run it as a <script> tag and use prototype & property tricks to read the value

这篇关于单独使用Nginx进行简单的CSRF保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！