-1

Using CSRF token in rest API is helpful or not ? as far as I know we don't have a session so we should send the token to client for next request or for submitting the form.

Is it helpful to use it again in ajax(xhr) calls. are there any alternatives ?

I've been reading the spring documents for this, and it also has some examples. but I was curious that is it really helpful or not ?

By the way My server is spring 2.2 and my client is Angular 9.

Thanks

arash yousefi
  • 376
  • 5
  • 16

1 Answers1

1

CSRF tokens are essential for preventing XSS attacks, for instance you are logged into your bank, in one tab, and visiting my malicious site that will send a hidden form to your bank stealing your credicard number.

If you want to build a more secure site, every request that manipulates the state in the backend (POST, PUT, DELETE etc) should have a CSRF token included, to ensure that the request came from forms on your site and only your site.

You can read more about CSRF tokens on Owasps webpage.

Toerktumlare
  • 12,548
  • 3
  • 35
  • 54
  • the thing is if I am sending the token to the user without using the session so the end user would be able to get the csrf token as well as other tokens. my question is would it be the correct mechanism to prevent them from submitting a form ???? – arash yousefi Feb 01 '21 at 05:39