Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Remove csrf protecteion on API post calls

Tags:

node.js

express

oauth

csrf

api

I would like to remove csrf from my Express 3.0 application as i don't need it there. I use oauth to validate clients. Is the a middleware to whitelist API urls when using express.csrf()?

like image 229
samaras Avatar asked Mar 10 '14 08:03

samaras

People also ask

How do you prevent CSRF attacks in REST API?

If our project requires CSRF protection, we can send the CSRF token with a cookie by using CookieCsrfTokenRepository in a custom WebSecurityConfigurerAdapter. After restarting the app, our requests receive HTTP errors, which means that CSRF protection is enabled.

Can we turn off CSRF protection?

To disable CSRF protection on all routes. So navigate to app\Http\Middleware and open VerifyCsrfToken. php file. Then update the routes, which you want to disable CSRF protection.

Does CSRF work with POST requests?

A CSRF attack can either leverage a GET request or a POST request (though a POST request is more complicated and is thus uncommon). Either one needs to start with an attacker tricking a victim into loading or submitting the information to a web application.

Is CSRF protection needed for REST API?

Enabling cross-site request forgery (CSRF) protection is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.

1 Answers

You can do that in two ways.

1.) Create a small middleware of your own to allow white list url patterns not to be blocked by csrf like;

var express = require("express");
var expressCsrf = express.csrf();
var app = express.createServer();

var customCsrf = function (req, res, next) {
    // I assume exact match, but you can use regex match here
  var csrfEnabled = true;
  var whiteList = new Array("/pattern1/param1","/pattern2/param2","/pattern3/param3");
  if (whiteList.indexOf(req.path) != -1) {
    csrfEnabled = false;
  }

  if (csrfEnabled) {
    expressCsrf(req, res, next);
  } else {
    next();
  }
}

app.use(customCsrf);
app.listen(3000);

2.) Use csrf middleware on your controllers you want to enable. For example, you want to use csrf check on profile save controller;

app.post("/profile/save", express.csrf(), function(req, res, next) {
    // put your code here
});
like image 60
Hüseyin BABAL Avatar answered Oct 07 '22 01:10

Hüseyin BABAL
Sign in to Comment

Related questions

Downloading zip with yeoman generator
How to close database connection in node.js?
Sequelize.js - model association during "create" or "build" call
How can I perform COUNT and GROUP BY in Waterline?
What encodings are available Node.js
Sinon - stubbing function with callback - causing test method to timeout
Catch "Failed to look up view" error and serve 404
Cannot get output of child_process.spawn with interactive scripts
How to gzip JavaScript and CSS assets in Sails.js?
Best way to globally set up alerts for when a Firebase location is changed
Naming convention of callback in node.js
Chef client hanging on npm install at node-gyp rebuild
Can Cesium map run on Apache HTTP server instead of node.js environment?
Redirect on a different location and port in node.js
Gulp.js with foundation / compass
Is there a way to use ruby in a node environment on Travis CI?
JavaScript promises and if/else statement
For loop in callback. Blocking?
Getting Js Syntax Error in plugin 'gulp-browserify' while running Gulp Tasks
Express redirect after login authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!