如何从客户prevent CSRF攻击无的ASP.NET Web API饼干？ [英] How do you prevent CSRF attacks from clients without cookies in ASP.NET Web API?

问题描述

我在做一个ASP.NET Web API服务2作为一个RESTful API以支持移动应用程序。

I'm making an ASP.NET Web API 2 service as a RESTful API to support mobile applications.

问题是所有的CSRF在网络上，包括文章：

The problem is all the articles on the web on CSRF including:

• preventing CSRF在黑客的ASP.NET Web API


• 使用ASP.NET MVC的AntiForgeryToken prevent跨站请求伪造（）辅助


• preventing跨站请求伪造（CSRF）攻击

• Preventing CSRF Hacks in ASP.NET Web API
• Prevent Cross Site Request Forgery using ASP.NET MVC's AntiForgeryToken() Helper
• Preventing Cross Site Request Forgery (CSRF) Attacks

关于基于cookie的防CSRF验证说话。

All speak about cookie-based anti-CSRF validation.

我需要把这样一个cookie在我的手机应用程序，不仅如此，它有前来pre加载应用程序立即开展工作。有没有放在这种反CSRF安全方法，无需设置cookie的方法吗？或者是有可能的一种方式，以pre-装载安全Cookie在移动应用程序，所以我们可以立即使用它没有一个cookie设定步骤？

I need to put such a cookie in my mobile application, and not only that, it has to come pre-loaded for the application to immediately work. Is there a way to put in such anti-CSRF security methods without having to set cookies? Or is there maybe a way to pre-load a security cookie in a mobile application so we can immediately use it without a cookie setting step?

推荐答案

答：你不应该需要的。

您将需要保护你的Web API用某种认证机制（presumably），我建议只让用通过HTTPS的API。实施 HSTS还建议。

You will need to protect your Web API with some sort of authentication mechanism (presumably), and I recommend only making your API available over HTTPS. Implementing HSTS is also recommended.

当饼干在客户端上共享的CSRF攻击只能发生。我的意思是，客户端可以访问来自多个域的cookie（如Web浏览器存储Cookie对您访问的每个站点）。然而，Web应用程序的API客户端通常只接触一个域（您的API）。作为客户端不共享任何跨站攻击可能不是你的API中使用Cookie（HTTP客户端的Web应用程序比在手机浏览器HTTP客户端独立的 - 或者说应该是）。因此，你的web应用程序的API应该已经对安全CSRF如果API仅适用于移动应用程序。

A CSRF attack can only happen when cookies are shared on the client. By that I mean that the client has access to cookies from multiple domains (such as a web browser storing cookies for each site you visit). However, a web application API client typically only contacts a single domain (that of your API). Any cross site attack cannot use cookies within your API as the client is not shared (HTTP client in web application is separate than HTTP client in the mobile browser - or should be). Therefore your web application API should already be safe against CSRF if the API is for your mobile application only.

请注意，根据<一个href=\"http://stackoverflow.com/questions/24573814/how-do-you-$p$pvent-csrf-attacks-from-clients-without-cookies-in-asp-net-web-api/24586323?noredirect=1#comment52676983_24586323\">Jaxidian's评论，上面是假设Cookie被用作会话管理机制，而不是一个HTTP定向一个（例如基本身份验证，NTLM或Kerberos）。

Note, as per Jaxidian's comment, the above is assuming that cookies are used as the session management mechanism rather than an HTTP orientated one (e.g. basic auth, NTLM or Kerberos).

这篇关于如何从客户prevent CSRF攻击无的ASP.NET Web API饼干？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！