-1

I'm doing a SPA with Symfony and React JS, and my ask is how can I use the Symfony CSRF Token generator with react to avoid CSRF Attacks?

sgx11
  • 11
  • 1
  • Welcome to StackOverflow. Please take some time to read the [help page](https://stackoverflow.com/help/minimal-reproducible-example) for Minimal, Reproducible Example for getting better answers from community. – Shiv Kumar Baghel May 01 '20 at 13:08

1 Answers1

0

If you develop an SPA, then you're also building an API on Symfony side. (that's usually what people do)

Since CSRF issue is only related to forms and not APIs (because they usually are stateless), then you just do not manage CSRF issue. If we usually do not have this problem, keep in mind that you still need to deal with it if you use cookies/sessions. If you do so, then I recommand you to read the documentation of the csrf component of Symfony.

More insights here: https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints

Nek
  • 2,715
  • 1
  • 20
  • 34
  • I've built the API and implemented oauth, but I still using forms like login or the CRUD's forms, in my SPA? So I still having that csrf issue, or not? – sgx11 Apr 30 '20 at 22:38
  • Do you use cookie session? If you do, you need CSRF protection. oauth is usualy stateless (depend on the implementation) so no need to worry by default. Be sure it's actually stateless. Notice that if you use JWT (or any kind of token that contains authentication), then yes, it's stateless. – Nek May 01 '20 at 11:11
  • Also, if you do not use cookies, it's basically stateless ^^ . – Nek May 01 '20 at 11:12