15

Normally, a csrf token is generated by the server and then sent to the client. When the client submits a form, the token is passed back to the server, which then gets verified.

If I am just using API Gateway and Lambda, how would I ensure that all POST/PUT requests are valid, and protect against csrf attacks? There isn't much written about the subject that I could find, and I'm not sure how to persist a generated csrf token so that all lambda functions can access it anyway.

Is this something that AWS already handles for me, or do I need to specifically configure it in a special way?

watdeo
  • 199
  • 1
  • 5
  • perhaps you may want to check how AWS WAF handles owasp top 10: https://aws.amazon.com/about-aws/whats-new/2017/07/use-aws-waf-to-mitigate-owasps-top-10-web-application-vulnerabilities/; also have a look how api gateway is configured for CORS – Nicholas Jul 08 '17 at 11:36

1 Answers1

5

While I haven’t done (or even tried) that myself, 2 possible solutions could be:

  • The obvious one: Persist the data in one of the storages offered by AWS
  • The less obvious one: use a token that does not need persistence. For instance, JWT (JSON web tokens) can be used statelessly insofar as all servers (in your case: lambda functions) only need to know a shared secret to be able to verify client-side tokens. To prevent re-using a previously generated and used token (in other words: ensure a token is used only once), you could add data to the token payload which describes the form, for instance using an entity identifier plus version number, or simply add a expiration timestamp to the token payload – whatever fits your use case.
BlueM
  • 3,658
  • 21
  • 34