Menu
I read a lot around:
However, I am not yet able to understand if our endpoint ("/graphql") is protected for this type of attack or if it is necessary to protect it with solutions like this: https://github.com/expressjs/csurf.
The thing that is not clear to me is that here: https://github.com/pillarjs/understanding-csrf they say:
When you're using CSRF tokens incorrectly: ... Adding them to JSON AJAX calls As noted above, if you do not support CORS and your APIs are strictly JSON, there is absolutely no point in adding CSRF tokens to your AJAX calls.
If we restrict our endpoint to just use Content-Type: application/json are we safe?
791
But even though GraphQL can be a very secure option for your API, it does not come secure out of the box. It's actually the opposite: all doors are open even for the most novice hackers. Plus, GraphQL has its own set of considerations so if you come from REST you might have missed a few important steps!
When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
CSRF, which stands for Cross-Site Request Forgery, is an attack against a web application in which the attacker attempts to trick an authenticated user into performing a malicious action.
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
If we restrict our endpoint to just use Content-Type: application/json are we safe?
JSON is not immune to CSRF attacks (but requires a little extra work for the attacker) and by extension, neither would GraphQL if not properly configured. If you break it down to the requests / responses, the usual scenario of CSRF would apply here:
In this scenario, your service is vulnerable to CSRF. Ensure that CORS is configured to only allow requests from a white list of trusted domains and ensure that a CSRF token is in use. Implementing multiple protections will reduce the risk of a successful attack.
The following link goes into greater detail and you can even try it yourself: https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b
This answer is also relevant: Are JSON web services vulnerable to CSRF attacks?
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
