node.js - CSRF Token Storage by sailsjs -


i working on enterprise solution using sailsjs nodejs framework. security integral part of implementation. apart ssl, cors, using sailsjs csrf implementation. still evaluating how secure use token. can guide on following: sailsjs stores csrf token? encrypted? how secure use?

you'll need work validate tokens not accessible untrusted servers; should respond requests, , should not accessible via ajax, nor should cors headers enabled.

pillarjs has excellent readme on csrf. says csrf tokens:

csrf tokens

alas, final solution using csrf tokens. how csrf tokens work?

server sends client token. client submits form token. server rejects request if token invalid. attacker have somehow csrf token site, , have use javascript so. thus, if site not support cors, there's no way attacker csrf token, eliminating threat.

make sure csrf tokens can not accessed ajax! don't create /csrf route grab token, , don't support cors on route!

the token needs "unguessable", making difficult attacker successful within couple of tries. not have cryptographically secure. attack 1 or 2 clicks unbeknownst user, not brute force attack server.

also consider sails.js docs gives real-world example of how operate:

csrf tokens temporary , session-specific; e.g. imagine mary , muhammad both shoppers accessing our e-commerce site running on sails, , csrf protection enabled. let's on monday, mary , muhammad both make purchases. in order so, our site needed dispense @ least 2 different csrf tokens- 1 mary , 1 muhammad. on, if our web backend received request missing or incorrect token, request rejected. can rest assured when mary navigates away play online poker, 3rd party website cannot trick browser sending malicious requests our site using cookies.

and finally, sails.js uses connect csrf protection middleware. tokens stored on per-session basis, , therefore not stored in database nor (double) encryption needed. here's excellent answer on subject: why express/connect generate new csrf token on each request?


Comments

Popular posts from this blog

python - pip install -U PySide error -

arrays - C++ error: a brace-enclosed initializer is not allowed here before ‘{’ token -

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -