I have used the csrf tokens in python and nOdejs they work but we have a hack to get rid of it, as in inspect even you have set the field as hidden then also anyone can see it. Maybe i am doing it wrong. Any best way to make it secure so that no attacker can hit our api.
Asked
Active
Viewed 19 times
0
-
If the implementation is correct, it's ok to have the token plaintext in html. – Gabor Lengyel Feb 05 '19 at 16:26
-
but what about xss attacks, i think most of the csrf protection methods are prone to the xss attacks. What's the best way according to you if we want to protect us from xss attacks tooo and enabling the csrf protection. – Rajat Feb 06 '19 at 06:54
-
If there is xss, you can (mostly) exploit csrf too, because you can steal the token. You can't do much about it, because JS needs to have access to the token, so it is also available in case of xss. That's just how it is. – Gabor Lengyel Feb 06 '19 at 08:45