In the project (Laravel + Angular JS), the frontend and backend work independently, i.e. Laravel only plays the role of a Rest API. The generation of mappings lies entirely on Angular JS. How to use CSRF token in such a project? There is an idea to get its get method from the API, maybe I’m wrong: I don’t imagine how it will affect security; in this case - how to? Perhaps the CSRF check should be turned off altogether? Advise, please?
|
2 answers
It is better to abandon the idea of storing any data in a session or in a cookie at all. Moreover, it is recommended to make the REST API stateless. Such an API will not need to be protected with a CSRF token at all.
Security tokens should be used instead. Such a token is issued in response to a login request, stored on the js side — and subsequently passed to the API layer for each request.
Pavel Mayorov Pavel Mayorov
48.9k 5 gold signs 51 silver badge 110 bronze marks
- But in either case, the token must be stored on the server side so that it can be compared with what comes from the client. In this case, I do not understand how this can be done without sessions? - Andrei Talanin
- one@AndreyTalanin either keep it in the database - or use a digital signature - Pavel Mayorov
|
One of the options to modify the file app / Http / Middleware / VerifyCsrfToken.php
//добавить в Routes список url какие CSRF не будет проверять private $openRoutes = ['feedback', 'main/first', 'main/second']; public function handle($request, Closure $next) { foreach($this->openRoutes as $route) { if ($request->is($route)) { return $next($request); } } return parent::handle($request, $next); } 
Dmitry Kalinin Dmitry Kalinin
667 3 silver marks 6 bronze marks
- Starting from 5.1, you can add exceptions to the
$exceptproperty. Laravel will do the rest. Laravel :: Excluding URIs From CSRF Protection . - xEdelweiss - Thanks, but does this mean that you agree that in this case, the token should be received with a get request? - Andrei Talanin
|