Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CSRF and RESTful API (symfony2, php)

I'm developing RESTful API using php/symfony2.

Symfony2 comes with CSRF protection out of the box and it works fine when using normal form data (it passes CSRF token to the form and when posted back it expects the same token which is embeded in the form).

Nonetheless this solution is not fit for purpose if you develop RESTful API, where my communication between backend<->frontend is purely JSON based. Because of that I disabled CSRF.

I'm aware not having CSRF token is not safe, so I'm wondering what's the most optimal way to have CSRF with RESTful API.

One idea in mind is to have specific URL e.g. /api/generate/csrf, which can be called by frontend then append token to json request. It doesn't sound as the safest way as token technically could be generated by anyone.

What's the best way to approach CSRF problem when developing RESTful APIs.

Cheers, Richard

like image 439
richard.pi Avatar asked Jan 22 '14 14:01

richard.pi


1 Answers

Remember that you only need CSRF protection when your REST client is using session based authentication, otherwise CSRF protection won't help you.

If your requests DO use session based authentication, I would include the CSRF token as a header. Something like:

CSRF-Token: dfsa0jr3n2io20a;
like image 148
gitaarik Avatar answered Oct 01 '22 09:10

gitaarik