不要CSRF攻击适用于API的？ [英] Do CSRF attacks apply to API's?

问题描述

在特别，我正在写一个Django的REST的API来支持iOS应用程序，和我一直运行到，每当我写的方法来处理POST请求Django的CSRF保护。

In particular, I'm writing a Django RESTful API to back an iOS application, and I keep running into Django's CSRF protections whenever I write methods to deal with POST requests.

我的理解是，通过iOS的管理Cookie不会被应用程序共享，这意味着我的会话cookie是安全的，并没有其他的应用程序可以在他们乘坐。这是真的？如果是这样，我能标记所有我的API函数作为CSRF豁免？

My understanding is that cookies managed by iOS are not shared by applications, meaning that my session cookies are safe, and no other application can ride on them. Is this true? If so, can I just mark all my API functions as CSRF-exempt?

推荐答案

这不是CSRF的目的。 CSRF是prevent数据到您的网站直接发布。换句话说，客户端必须通过实际经批准的路径的，即查看表单页面后，填好，提交数据。

That's not the purpose of CSRF. CSRF is to prevent direct posting of data to your site. In other words, the client must actually post through an approved path, i.e. view the form page, fill it out, submit the data.

这是API pretty多precludes CSRF，因为它的全部目的通常是的允许的第三方实体在您的网站（以下简称跨网站访问和操作数据在CSRF）。所以，是的，我觉得作为一个规则，任何API观点应该是CSRF豁免。然而，你的应的仍然遵循最佳实践和保护每一个API的端点实际上使用某种形式的认证的改变，如OAuth的。

An API pretty much precludes CSRF, because its entire purpose is generally to allow 3rd-party entities to access and manipulate data on your site (the "cross-site" in CSRF). So, yes, I think as a rule any API view should be CSRF exempt. However, you should still follow best practices and protect every API-endpoint that actually makes a change with some form of authentication, such as OAuth.

这篇关于不要CSRF攻击适用于API的？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！