The attacker can’t use JavaScript to read the token from the site, because it would be a cross-origin request and access to the data from it is blocked (by default) by the Same Origin Policy (MDN, W3C). Take this for example: var xhr = new XMLHttpRequest(); xhr.open(“GET”, “http://google.com”); xhr.addEventListener(‘load’, function (ev) { console.log(this.responseText); }); xhr.send(); … Read more
Modify urls.py If you manage your routes in urls.py, you can wrap your desired routes with csrf_exempt() to exclude them from the CSRF verification middleware. for instance, from django.views.decorators.csrf import csrf_exempt urlpatterns = patterns( # … # Will exclude `/api/v1/test` from CSRF url(r’^api/v1/test’, csrf_exempt(TestApiHandler.as_view())) # … ) Alternatively, as a Decorator Some may find the … Read more
I’ll try to answer this in a generic way so that the answer is applicable across frameworks, implementations and languages because the answers to all the questions can be derived from the general protocol or algorithm specifications. Which OAuth 2.0 grant type should I use? This is the first thing to be decided. When it … Read more
It looks like the CSRF (Cross Site Request Forgery) protection in your Spring application is enabled. Actually it is enabled by default. According to spring.io: When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only … Read more
I found some information about CSRF + using no cookies for authentication: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ “since you are not relying on cookies, you don’t need to protect against cross site requests” http://angular-tips.com/blog/2014/05/json-web-tokens-introduction/ “If we go down the cookies way, you really need to do CSRF to avoid cross site requests. That is something we can forget when … Read more