CSRF token
Closed this issue · 1 comments
kennarddh commented
https://stormpath.com/blog/angular-xsrf
https://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf
csurf
https://stackoverflow.com/questions/65828687/how-to-set-csurf-express-middleware-up-to-work-with-postman
Synchronizer token patern
On login
- Generate random uuid
- Set csrf-token cookie
- Save csrf cookie to user database
On access protected resource
- Client send csrf-token cookie
- Check csrf-cookie same with database
- If csrf token not same response with error
- Else response with protected resource
Double submit cookie
On login
- Generate random uuid
- Set csrf-token cookie
- Set csrf-token in jwt payload
On access protected resource
- Client send csrf-token in cookie to header
- Server check csrf token in header same with jwt csrf token payload
- If same request is not forged
- Else Response with error
kennarddh commented
Token in response is blocked by SOP