Menu
Normally, a csrf token is generated by the server and then sent to the client. When the client submits a form, the token is passed back to the server, which then gets verified.
If I am just using API Gateway and Lambda, how would I ensure that all POST/PUT requests are valid, and protect against csrf attacks? There isn't much written about the subject that I could find, and I'm not sure how to persist a generated csrf token so that all lambda functions can access it anyway.
Is this something that AWS already handles for me, or do I need to specifically configure it in a special way?
575
By using custom rules through a WAF, users are able to help prevent certain CSRF attacks.
Now, we can see that our request is working, and the “Invalid CSRF token” error is gone in the REST API logs. Therefore, it will be impossible for attackers to perform a CSRF attack.
CSRF tokens prevent CSRF because without token, attacker cannot create a valid requests to the backend server. CSRF tokens should not be transmitted using cookies. The CSRF token can be added through hidden fields, headers, and can be used with forms, and AJAX calls.
The CSRF token is required for any later REST API calls. The client must send a valid token with every API request. The token is sent in a custom request HTTP header. The name of the custom header is X-IBM-SPM-CSRF.
While I haven’t done (or even tried) that myself, 2 possible solutions could be:
180
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
