Disclaimer: I am a frontend developer without in-depth training in web security. Perhaps my question will sound trivial. Frankly, I hope it is — that means there is a simple solution. Please don't be angry.
I am working on a single-page web application that is architected according to a common pattern for modern web apps. Specifically, there is a web app itself that lives in the browser, a node-based "backend for frontend" that is responsible for rendering the app and for accepting ajax requests from it (most of which it then proxies to the "proper" backend), and then there is the "real" backend that is responsible for CRUD operations:
We want to make sure that requests coming to the "backend for frontend" have originated in the client-side app in the browser, and not in an attacker's script.
As a part of that task, I enabled csrf protection (using the csurf library), but then it occurred to me that that cannot possibly be enough, because if the attacker makes a normal request using the browser, examines it in dev tools' network panel, and then copies cookies and headers (with the csrf token and the secret key stored in the cookies) from that request to his script, csrf protection will not be able to block such requests. At least as far as I understand how csurf works.
So, I am looking for a better way to make sure that requests are from the client app. Perhaps there is a way to combine the regular csrf-token-based protection with a timestamp to make sure that csrf token copied from request headers expires momentarily? Or maybe there are some other solutions? I am reluctant to invent my own security mechanism. Please advise?
(I have found a similar discussion on security.stackexchange.com, but with few concrete recommendations)
Aucun commentaire:
Enregistrer un commentaire