Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to implement csrf protection for cross domain requests

Tags:

I have two web apps, one for the Web UI in AngularJS and one for the REST webservices in Java. Both are deployed on separate domains.

The applications uses cookie for authentication. Whenever user enters a valid username and password, server returns a http only cookie back containing the token and that cookie is passed across all requests. I have enabled CORS on both apps, thats why the session cookie is working properly.

Now, I am trying to add CSRF protection for this. I was trying to use the csrf cookie where in the server will send the csrf cookie(not httponly) as part of REST response and the UI will read the value from the cookie and pass that in a csrf token header for the other REST calls.

The problem with this approach I am facing is that since the server is in different domain, I cannot read the cookie using $cookies in AngularJs. Is there a way to read a value of that cookie? If not, then can I implement CSRF in some other way?

I also tried to implement the creation of the csrf cookie on the Web UI itself in the browser but the browser does not send the cookie to the webservice as its in different domain.

So, my question is how to implement csrf protection for this kind of situation?

like image 889
user3565529 Avatar asked Jan 06 '15 06:01

user3565529


People also ask

Can CORS mitigate CSRF?

Sometimes CORS is also associated with the protection methods of how to prevent CSRF attacks. The most typical way to mitigate the attack is to use anti-CSRF tokens but it is also possible to prevent the attack by checking the Origin: or Referer: header which is related to CORS.

Which is the best defense against Cross-Site Request Forgery CSRF attacks?

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be: Unpredictable with high entropy, as for session tokens in general.

Is CSRF required for GET requests?

The best defense against CSRF attacks which take the form of GET requests is to disallow GET requests for key actions, especially actions which "change state" in some way. Links and image tag sources are always GET request. Making all GET requests harmless removes a major pathway for CSRF attacks.


1 Answers

You were on the right track with this:

I also tried to implement the creation of the csrf cookie on the Web UI itself in the browser but the browser does not send the cookie to the webservice as its in different domain.

The CSRF cookie isn't meant to be "sent" to the server, it is meant to be read by the client and then supplied in a custom HTTP request header. Forged GET requests (triggered by HTML tags such as <img src="">) from other domains cannot set custom headers, so this is how you assert that the request is coming from a javascript client on your domain.

Here is how you can implement the idea you were working on, imagine you have api.domain.com and ui.domain.com:

1) User loads the Angular client from ui.domain.com

2) User posts authentication information from Angular client to api.domain.com

2) Sever replies with an HttpOnly authentication cookie, called authCookie, and a custom header e.g. X-Auth-Cookie, where the value of this header is a unique value that is linked to the session that is identified by the authCookie

3) The Angular client reads the X-Auth-Cookie header value and stores that value in a XSRF-TOKEN cookie on its domain, ui.domain.com

  • So now you have:

    • XSRF-TOKEN cookie on ui.domain.com
    • authCookie cookie on api.domain.com

4) User makes a request of a protected resource on api.domain.com. The browser will automatically supply the authCookie value, and Angular will automatically send the X-XSRF-TOKEN header, and will send the value that it reads from the XSRF-TOKEN cookie

5) Your server asserts that the value of X-XSRF-TOKEN is linked to the same session that is identified by the value of the authCookie

I hope this helps! I've also written about token authentication for Angular, Token Based Authentication for Single Page Apps (SPAs) (Disclaimer: I work at at Stormpath)

like image 70
robertjd Avatar answered Sep 29 '22 09:09

robertjd