0

TO protect app from CSRF attack we set a cookie named XSRF-TOKEN from server side. So from client side code we are able to set-cookie and send across to server, But to validate CSRF in the server side we need to send header while firing 'POST' service call. As per angular document automatically $http sets header X-XSRF-TOKEN by reading the cookie ( Please refer link), but Javascript code is unable to read the cookie though we have deployed our application on same domain. Server side cookie generation code and service deployment details are as below,

final Cookie newCookie = new Cookie(
"XSRF-TOKEN",
csrfValue);
newCookie.setPath("/");
httpResponse.addCookie(newCookie);

UI is deployed in 8080 port and service is deployed in port 8084 inside same VM

Sayan
  • 1
  • 2

1 Answers1

0

Port 8080 and 8084 are different origins, so you can't read cookies from one on the other, the same as you can't access the cookies of any other website in javascript running on yours.

How does the service authenticate the user? If it's token based, and the token is sent as a request header, you don't even need further protection from csrf.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
  • We use keycloak as the authentication mechanism, so keycloak uses token-based authentication concept of Oauth. CSRF protection needed to stop cross-site requests. As it falls under one of the OWASP vulnerabilities it has been raised as part of VAPT testing which we are executing through the third-party client to get certification. Now you are correct as our application is hosted into different port that's the reason domain validation is failing. In the background we use reverse-proxy to resolute hosts. Do reverse proxy setting takes care of this problem or we have to do more to accomplish this – Sayan Apr 12 '18 at 05:25