Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should a Laravel SPA still use a CSRF token for security?

Tags:

csrf

laravel

laravel-5.4

I ran into multiple difficulties with CSRF when building a small SPA with Laravel and Vue.js:

  • I use index.html as the only view, the rest is handled by vue-router using single file components (i.e. .vue files)
  • Because I'm not using PHP or Blade on the front, I can't inject csrf_token() into my view. Even if I did, the token would eventually expire, yet because the app has no (or very few) page refresh(es), it wouldn't know if the token changed, and it would eventually fail to make AJAX requests with the old token
  • Some answers suggest to pass the token in a cookie and then retrieve it with JS. This approach suffers from the same problem as above -- the SPA is never notified when the token changes
  • I could dig in the internal workings of Laravel and throw an event every time the token changes; the front-end could use Laravel Echo to listen to the changes, but then the question raises, is it even worth to bother?
  • Lastly, I was suggested to use JWT; however, as I understand, JWT is used for authentication purposes, while CSRF -- for every single request regardless of the HTTP verb or intent.

With the last two points in mind, do you think it is necessary/advisable to use a CSRF token in a Laravel SPA? And if so, what would be the best implementation (cookie with the token, dedicated route returning the token, or other)? If not, what are the alternatives?

like image 328
Alex Avatar asked May 28 '17 20:05

Alex

People also ask

Does laravel API need CSRF token?

Laravel CSRF Token Ajax Calls In Laravel, Middleware handles all the requests and doesn't allow any POST request without the right CSRF token verification. Therefore, in order to proceed further, you must input the CSRF Token while sending the AJAX request.

Is CSRF token necessary?

Such carefully executed Social Engineering is not always needed to perform CSRF attacks, however. In fact, every single webpage you visit can perform CSRF; surfing the Web requires a lot of trust.

Why CSRF token is used in laravel?

Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the person actually making the requests to the application.

Should I replace CSRF token?

Changing the CSRF token on every request provides adequate protection against BREACH, and both Django and Rails have implemented changing CSRF tokens. Both frameworks have implemented it by encoding the actual CSRF token. The token is encoded randomly on each page, thus preventing repetitive output.

1 Answers

Comments don't have enough space, so I'm adding this as an answer, but this is just a concept as I have extremely low experience with Vue.

From the docs

// Add a request interceptor
axios.interceptors.request.use(function (config) {
    // Do something before request is sent
    return config;
  }, function (error) {
    // Do something with request error
    return Promise.reject(error);
  });

// Add a response interceptor
axios.interceptors.response.use(function (response) {
    // Do something with response data
    return response;
  }, function (error) {
    // Do something with response error
    return Promise.reject(error);
  });

So the concept would be something like this:

  • Set a custom header from Laravel.
  • When building/starting up your Vue application, get the custom header and set it somewhere global.

  • When making a request, intercept it and add the CSRF token from the global storage

    axios.interceptors.request.use(function (config) { // Get your token from the place you stored it and add to the request });

  • Intercept the response and store a new token

    axios.interceptors.response.use(function (response) { // Store the new CSRF token in the same place you stored the 1st one. });

  • Loop forever

like image 183
Marco Aurélio Deleu Avatar answered Sep 18 '22 14:09

Marco Aurélio Deleu
Sign in to Comment

Related questions

Laravel append URI in route
Loading more eloquent hasMany relation queries through ajax in Laravel?
Laravel 5: How can I load database values into the config/services.php file?
Required field only if another field has a value, must be empty otherwise
Laravel have Two foreign Key from the same table
How to change column data type in laravel 5.6?
Laravel: Cannot declare class App\Models\Customer, because the name is already in use
Laravel Model Eager loading and ordering
Laravel get belongsToMany through hasMany
Laravel seeding my tables(many to many relation) fails
Middleware for checking if resource is owned by user
Why laravel eloquent model does not have an id after it is saved?
How to store a list of weekdays in MySQL?
How to set custom attribute labels for nested inputs in Laravel
Laravel validator with a wildcard
Modify input in laravel middleware
How to switch Authentication from one user to another using Laravel
Error 500 when uploading Laravel project to server
How to generate a short token with laravel passport?
Laravel functional testing ajax control

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!