Is the following a secure implementation of CSRF token verification? Specifically, I want to call this Stripe API endpoint:
https://connect.stripe.com/express/oauth/authorize?redirect_uri=https://example.com&client_id=ca_11111&state={STATE_VALUE} and the Stripe docs say
To prevent CSRF attacks, add the state parameter, passing along a unique token as the value. We’ll include the state you gave us when we redirect the user back to your site.
I am thinking of implementing like this: - browser generates a random token and stores it in a cookie (or local storage) - browser calls the above endpoint - stripe redirects to my application at https://example.com - when I get the response back, I check the contents of the state parameter and compare it to the value stored in local storage, or in my cookie.
Is this a secure/correct implementation of CSRF? Or do I need to somehow involve a backend service?
(Stripe docs here: https://stripe.com/docs/connect/express-accounts)
Aucun commentaire:
Enregistrer un commentaire