什么时候需要使用令牌保护表单（CSRF攻击）？ [英] When its Necessary to Protect Forms with Token (CSRF attacks)?

问题描述

据我了解，Web开发人员应创建令牌并将其放在表单的隐藏字段中，以防止CSRF攻击。另外，他应该在会话中保存相同的令牌，然后在提交表单时-检查令牌是否相等。

As much as I understand, web developer should create token and put it in hidden field of form to prevent CSRF attacks. Also, he should save the same token in a session and then, when form is submitted - check that tokens are equal.

我来质疑...是否有必要为所有形式做这项技术？我的意思是，想象一下创建用于登录的表单。如果没有CSRF保护，我看不到对站点和/或用户有任何危害，因为用户没有特权（就像他将要登录一样，也将拥有特权）。注册也一样...对吗？

I came to question... is it necessary to do this technique for all forms? I mean, imagine form that is created to sign-in. I can't see any harm done to site and/or user if there is no CSRF protection, because user have no privileges (like he would have if he would be signed-in). The same goes for sign-up... Am I right?

P.S。如果我错了，请向我解释一下这个概念。

P.S. If I'm wrong, please explain me the concept.

推荐答案

通常来说，您希望在提交表单时随时保护自己的表单。导致内容/状态的改变；是添加，删除，编辑还是与外部资源共享（在xyz上共享！）。

Generally speaking, you want to protect your form anytime its submission will result in a change of content/state; be it adding it, removing it, editing it or sharing it with an external source ("share on xyz !").

您不需要的表格示例保护的是一个搜索框，因为它不会导致内容的任何更改。

An exemple of forms you wouldn't need to protect is a search box, since it doesn't result in any change of content.

如果您不确定，任何会导致保存内容的表格/删除（无论是否在您的网站上）都应受到保护。

If you're unsure, any form which will result in something being saved/deleted (whether it's on your site or not) should be protected.

如果您真的不确定只添加令牌，就不需要花任何钱来保证安全。

And if you are really unsure just add the token, doesn't cost anything to be safe.

这篇关于什么时候需要使用令牌保护表单（CSRF攻击）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！