使用自定义所需的 HTTP 标头作为来自 CSRF 的 API 保护方法是否安全? [英] Is it safe to use a custom required HTTP header as a protection method from the CSRF for an API?

问题描述

我有一个为 SPA 构建的 JSON API，它只接受带有Accept: application/json"标头的请求.所以在浏览器中提交以下表单会导致Not Acceptable".HTTP 错误.

I have a JSON API built for a SPA which accepts only requests with "Accept: application/json" header. So submitting the following form in the browser will cause "Not Acceptable." HTTP error.

<form method="POST" action="https://api.example.domain/resource">
    <input type="password" name="password" value="CSRF">
    <input type="submit" value="Click!">
</form>

这是否意味着 API 对 CSRF 类型的攻击具有免疫力，还是我遗漏了什么?

Is it means that the API has an immune to CSRF types of attack or am I missing something?

推荐答案

它应该是相当安全的，但 API 仍有可能存在漏洞.

It should be quite secure, but still, there's a chance that the API is vulnerable.

如果攻击者能够在网站中发现 XSS 漏洞，他可以使用 JavaScript 添加标头:Accept: application/json，然后执行 CSRF 攻击.

If an attacker could find an XSS vulnerability in the website he could be able to add the header: Accept: application/json using JavaScript and then perform the CSRF attack.

出于这个原因，建议依赖一些 JavaScript 无法设置的标头，因为它们在禁止"标头列表中，只有浏览器可以修改它们，因此这里不能使用 XSS 漏洞.

For that reason, the recommendable is to rely on some headers that can't be set by JavaScript because they are on the 'forbidden' headers list, only browsers can modify them so no XSS vulnerability can be used in here.

您可以在 OWASP 中找到更多信息:https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

You will find more information in OWASP: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

这篇关于使用自定义所需的 HTTP 标头作为来自 CSRF 的 API 保护方法是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！