IOSF保护IOS本机应用注册表? [英] CSRF protection on IOS native app registration form?
问题描述
由于应用程序没有csrf令牌,所以会出现403错误。如果我在注册视图中执行csrf_exempt,我不知道它是多么安全。
我搜索了stackoverflow存在的问题,但发现冲突的答案。有人说注册表需要csrf保护,有些则说不需要。
我有几个问题我想问。
1)保护的最佳做法是什么这样的注册表单?
2)如果需要csrf保护,那么如何才能实现?
如果有人能指出我应该怎么做才能使安全的注册表格和最佳做法是什么,我真的很感激。 p>
谢谢。
不发生CSRF攻击来自不像浏览器 的应用程序。
除此之外,iOS Cookie存储区不会在应用程序之间共享。如果您的iOS应用程序不像网络浏览器那样工作,它允许用户导航到不同的网站,您不必担心CSRF攻击。您暴露的HTTP API(REST,SOAP,无论如何)不得要求来自移动应用程序的CSRF令牌。
I have a website that uses Django as the backend. I am now developing an IOS application that connects to the same backend. I am planning to use Oauth2 authentication for login and onwards. However, I just don't know what to do for the registration form. The registration form will POST data like email, username and password.
Since there is no csrf token for the app, it would get a 403 error. If I do csrf_exempt on the registration view, I don't know how secure it would be.
I searched stackoverflow for existing questions but found conflicting answers. Some say csrf protection is needed on the registration form while some say it's not required.
I have a couple questions I would like to ask.
1) What are the best practices for securing such registration forms?
2) If csrf protection is required, how would one go about achieving that?
I would really appreciate it if someone could point me to the right direction as to what should be done to make the registration form secure and what the best practices are.
Thank you.
CSRF attacks don't occur from applications that don't act like a browser. Apart from that, the iOS cookie store is not shared between applications. If your iOS application doesn't work like a web-browser, in a way that it allows the user to navigate to different websites, you don't need to worry about CSRF attacks. Your exposed HTTP API (REST, SOAP, whatever) must not require a CSRF token from the mobile application.
这篇关于IOSF保护IOS本机应用注册表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!