Menu
I'm developing RESTful API using php/symfony2.
Symfony2 comes with CSRF protection out of the box and it works fine when using normal form data (it passes CSRF token to the form and when posted back it expects the same token which is embeded in the form).
Nonetheless this solution is not fit for purpose if you develop RESTful API, where my communication between backend<->frontend is purely JSON based. Because of that I disabled CSRF.
I'm aware not having CSRF token is not safe, so I'm wondering what's the most optimal way to have CSRF with RESTful API.
One idea in mind is to have specific URL e.g. /api/generate/csrf, which can be called by frontend then append token to json request. It doesn't sound as the safest way as token technically could be generated by anyone.
What's the best way to approach CSRF problem when developing RESTful APIs.
Cheers, Richard
439
Remember that you only need CSRF protection when your REST client is using session based authentication, otherwise CSRF protection won't help you.
If your requests DO use session based authentication, I would include the CSRF token as a header. Something like:
CSRF-Token: dfsa0jr3n2io20a;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
