ExpressJS中的CSRF保护 [英] CSRF Protection in ExpressJS
问题描述
来自 http://sporcic.org/2012/10 / csrf-with-nodejs-and-express-3 :
app.use(express.csrf());
app.use(function(req, res, next){
res.locals.token = req.session._csrf;
next();
});
app.use(app.router);
要利用上述保护,是否意味着我应该隐藏 _csrf 我所有形式的隐藏输入,包括仅管理员页面?
To make use of above protection, does it mean I should put hidden _csrf hidden input in ALL of my forms including admin-only pages?
推荐答案
一个选项是添加您提到的所有表单的隐藏输入字段。但是根据csrf上的Express文档,
One option is to add a hidden input field to all your forms as you mention. But according to the Express docs on csrf:
默认值函数检查
req.body由bodyParser()中间件生成,req.query由query()生成和X-CSRF-Token标头字段。
The default value function checks
req.bodygenerated by thebodyParser()middleware,req.querygenerated byquery(), and the"X-CSRF-Token"header field.
因此,根据您的客户端框架,您还可以使用查询字符串或 X-CSRF-Token 替代方案。
So depending on your client side framework, you could also use the query string or the X-CSRF-Token alternatives.
重点仍然是您需要:
- 通过
_。csrf令牌从Express传递到客户端 - 从客户端将
_。csrf令牌返回到Express在您所有的状态更改要求(POST / PUT / DELETE)上,Express可以将其与req.session._csrf进行比较以完成周期。
- pass the
_.csrftoken from Express to your client side - return the
_.csrftoken from the client side back to Express on all your state mutating reqs (POST/PUT/DELETE) so Express can compare it against thereq.session._csrfto complete the cycle.
例如,如果您的客户端位于Angular中,则 $ http 模块默认提供csrf保护,如下所示:为一个名为 XSRF-TOKEN 的cookie,并通过名为 X-XSRF-TOKEN <的标头在所有状态更改请求(POST / PUT / DELETE)上返回此值/ code>。这是一个不幸的巧合,因为该名称与Express查找的标头名称不同,即 X-CSRF-TOKEN (注意 -XSRF -与 -CSRF-)。
For example if your client side is in Angular, the $http module offers csrf protection by default, looking for a cookie called XSRF-TOKEN and returning this value on all state mutating requests (POST/PUT/DELETE) through a header calledX-XSRF-TOKEN. This is an unlucky coincidence, because the name differs from the header name where Express looks for it, which is X-CSRF-TOKEN (notice -XSRF- vs. -CSRF-).
要克服这一点,您需要
第1步:在Express端,扩展CSRF中间件的默认值功能,以在
Step 1: On the Express side augment the default value function of the CSRF middleware to look for the token value in the X-XSRF-TOKEN header, in addition to all other default places:
app.use(express.csrf({value: function(req) {
var token = (req.body && req.body._csrf) ||
(req.query && req.query._csrf) ||
(req.headers['x-csrf-token']) ||
// This is the only addition compared to the default value function
(req.headers['x-xsrf-token']);
return token;
}
});
第2步:在Express端,再次设置CSR添加的令牌值使用自定义中间件,在Angular将要查找的Cookie中 req.session._csrf 下的中间件:
Step 2: On the Express side again set the token value added by the CSRF middleware under req.session._csrf in the cookie that Angular will look for, using a custom middleware:
app.use(function(req, res, next) {
req.cookie('XSRF-TOKEN', req.session._csrf);
next();
});
现在Angular会找到它并将其包含在 X-XSRF-TOKEN中标头,无需任何其他操作。
Now Angular will find it and include it in the X-XSRF-TOKEN header without any further action.
这篇关于ExpressJS中的CSRF保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
