11

I'm developing RESTful API using php/symfony2.

Symfony2 comes with CSRF protection out of the box and it works fine when using normal form data (it passes CSRF token to the form and when posted back it expects the same token which is embeded in the form).

Nonetheless this solution is not fit for purpose if you develop RESTful API, where my communication between backend<->frontend is purely JSON based. Because of that I disabled CSRF.

I'm aware not having CSRF token is not safe, so I'm wondering what's the most optimal way to have CSRF with RESTful API.

One idea in mind is to have specific URL e.g. /api/generate/csrf, which can be called by frontend then append token to json request. It doesn't sound as the safest way as token technically could be generated by anyone.

What's the best way to approach CSRF problem when developing RESTful APIs.

Cheers, Richard

Improve this question
2
  • 1
    What's the client you're now using for the API? Is this another web service, a mobile app or a frontend client (like angular/backbone/ember). If you use the first or second option, answers can be completely different than the last option. Commented Jan 22, 2014 at 14:39
  • @Jurian Sluiman The client (frontend) is web based (html5/js) at the moment. However there might be a need to support other devices in the future as well, so I don't want to limit myself to web. Commented Jan 22, 2014 at 14:58

2 Answers 2

Reset to default
1

Remember that you only need CSRF protection when your REST client is using session based authentication, otherwise CSRF protection won't help you.

If your requests DO use session based authentication, I would include the CSRF token as a header. Something like:

CSRF-Token: dfsa0jr3n2io20a;
Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

unfortunately REST client is using session based authentication (i know it's not perfect, but that's how it is at the moment). i understand there are ways of passing CSRF token as header, but how do i get one? is getting one by calling e.g. /api/give/me/token a safe bet?
You should generate the CSRF token on the server and put it in the page. Then when the client does a request with that token you are sure that the request came from that page. That's the idea. Frameworks like Symfony do this automatically for you for Forms, but you have a little bit of a special case over here so you should implement it yourself.
all the data is which is passed from the client is as json. backend doesn't generate any forms for the frontend in this instance. i know i could create a special call e.g. /api/token, which would be returning token, which then i can append to json, which will be send to the server. the problem with this solution is that a potential attacker also could access /api/token to generate token and add to attacker's fake json request
You shouldn't get the token through a separate request, you should include the token in the page where you execute the API call, so that the API call can send this token back again.
Qoop is right. the frontpage is NOT generated by the server. so, how do i obtain token?
|
0

I'm working on this issue too. Here is my original question.

I have a theoretical solution so far, but I'm not quite sure it will work. Maybe somebody can comment.

  1. Add the CSRF TOKEN to the API response cookie readable by the JS application;
  2. Send it with the request as X-CSRF-TOKEN header value by the JS application;
  3. Verify the CSRF TOKEN on the API.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.