|
|
|
|
|
|
by amjo324
3680 days ago
|
|
|
A similar anti-CSRF measure is implemented in some application frameworks by default. For example, When performing XHR requests in AngularJS, "the $http service reads a token from a cookie (by default, XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain. The header will not be set for cross-domain requests." Reference: https://docs.angularjs.org/api/ng/service/$http This is an effective approach because unless an attacker has already compromised the relevant cookie, they will be unable to spoof the X-XSRF-TOKEN header in a cross-origin request. On the server-side, you just need to validate that (a) the X-XSRF-TOKEN header was sent and (b) it contains the expected value for each HTTP request received. |
|
|