node.js - CSRF Token Storage by sailsjs -

-

i working on enterprise solution using sailsjs nodejs framework. security integral part of implementation. apart ssl, cors, using sailsjs csrf implementation. still evaluating how secure use token. can guide on following: sailsjs stores csrf token? encrypted? how secure use?

you'll need work validate tokens not accessible untrusted servers; should respond requests, , should not accessible via ajax, nor should cors headers enabled.

pillarjs has excellent readme on csrf. says csrf tokens:

csrf tokens

alas, final solution using csrf tokens. how csrf tokens work?

server sends client token. client submits form token. server rejects request if token invalid. attacker have somehow csrf token site, , have use javascript so. thus, if site not support cors, there's no way attacker csrf token, eliminating threat.

make sure csrf tokens can not accessed ajax! don't create /csrf route grab token, , don't support cors on route!

the token needs "unguessable", making difficult attacker successful within couple of tries. not have cryptographically secure. attack 1 or 2 clicks unbeknownst user, not brute force attack server.

also consider sails.js docs gives real-world example of how operate:

csrf tokens temporary , session-specific; e.g. imagine mary , muhammad both shoppers accessing our e-commerce site running on sails, , csrf protection enabled. let's on monday, mary , muhammad both make purchases. in order so, our site needed dispense @ least 2 different csrf tokens- 1 mary , 1 muhammad. on, if our web backend received request missing or incorrect token, request rejected. can rest assured when mary navigates away play online poker, 3rd party website cannot trick browser sending malicious requests our site using cookies.

and finally, sails.js uses connect csrf protection middleware. tokens stored on per-session basis, , therefore not stored in database nor (double) encryption needed. here's excellent answer on subject: why express/connect generate new csrf token on each request?


Comments

Post a Comment

Popular posts from this blog

python - pip install -U PySide error -

-
does know how avoid following error when running pip install -u pyside per official website instructions here: https://pypi.python.org/pypi/pyside/#installing-pyside-on-a-mac-os-x-system note have done brew install qt successfully. you using pip version 7.0.3, version 7.1.2 available. should consider upgrading via 'pip install --upgrade pip' command. collecting pyside using cached pyside-1.2.4.tar.gz installing collected packages: pyside running setup.py install pyside complete output command /applications/anaconda/bin/python -c "import setuptools, tokenize;__file__='/private/var/folders/dy/ttgqhqqx3g9bsbsnqnxsk2z80000gq/t/pip-build-cpxemt/pyside/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /var/folders/dy/ttgqhqqx3g9bsbsnqnxsk2z80000gq/t/pip-0r7hri-record/install-record.txt --single-version-externally-managed --compile:
Read more

arrays - C++ error: a brace-enclosed initializer is not allowed here before ‘{’ token -

-
simple question: i'm trying initialize array within c++ class declaration: using namespace std; #include <string> class myclass{ public: string myarray[] = {"a","b","c"}; }; and i'm getting error: error: brace-enclosed initializer not allowed here before ‘{’ token no, without complied c++11 compiler, cannot initialize member array in declaration. have initialize array member in constructor. , don't use open array if know number of elements initialize array.
Read more

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -

-
i trying add nodes dagre graph through cityscape.js. problem nodes not painted. code have: cy.add({ group: "nodes", data: { id:"n0",name:"n0",weight: 75 }, }); $.ajax(url).done(function(jsontree){ var newnodes=[]; for(var i=1;i<6;i++){ //var child = jsontree.result[i]; newnodes.push( { group: "nodes", data: { id: "n"+i, name:"n"+i}}, { group: "edges", data: { id: "e"+i, source: "n0", target: "n"+i } } ); } cy.add(newnodes); any ideas? have used loaded function reload graph not work. not know if have use specific function reload graph. thank in advance. you need add positions new nodes. cytoscape.js docs : it important note positions of newly added nodes must defined when calling cy.add(). nodes can not placed in graph without valid position — otherwise not displayed. yo
Read more