Stack Overflow
Stack Overflow

Questions tagged [x-xsrf-token]

98 questions
1
vote
1 answer

Best way to avoid HTTP 403 error when getting Set-Cookie header to set CSRF Cookie

I'm calling a REST API that has CSRF protection. Everything works well. I'm getting the token and sending it back to the server. However, when I do the very first request or when the CSRF Cookie is not set in the browser it always throws an HTTP 403…
alayor
  • 4,537
  • 6
  • 27
  • 47
1
vote
2 answers

MVC with Angular - ValidateAntiForgeryToken fails after Azure Login redirect with Adal

I have an MVC site with an embedded angular client and I've recently implemented an anti forgery XSRF token as a security measure. I have set it up in Startup.cs as follows: services.AddAntiforgery(options => options.HeaderName =…
JonnyKnottsvill
  • 1,123
  • 2
  • 16
  • 39
0
votes
0 answers

laravel 10 "Token mismatch" on using web-routes

I am new to Laravel and Angular. I am using Angular as frontend on localhost:4200 and Laravel only as backend-system on localhost:8000. For authentication I use Sanctum. On my attempt to login firstly I request the XSRF-Token which is successfully…
elCinturon
  • 1
0
votes
0 answers

Token mismatch between 'springboot' and React AXIOS CSRF communication

return http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() //.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "**").permitAll() //.and() …
dgkim
  • 1
0
votes
0 answers

How to set the HttpOnly flag to true for xsrf-token cookie in jersey?

I'm trying to set the HttpOnly flag of xsrf-token cookie to true in my jersey application. At the moment I have two cookies, the HttpOnly flag of the jsession id cookie is set to true while the other is set to false. I have this in my web.xml: …
andreiiz
  • 1
  • 1
0
votes
0 answers

add X-XSRF-TOKEN to the request header of sendBeacon()

I have an Angular application and to send analytics data to the server I defined the service that used the navigator.sendBeacon(). I wanted to add X-XSRF-TOKEN into the request header of navigator.sendBeacon(). But as you know, it's not possible, or…
FarbodKain
  • 229
  • 3
  • 15
0
votes
0 answers

Axios send X-XSRF-TOKEN taken from wrong cookie

I have app on domain.com and sub.domain.com. Both apps set cookie with name X-XSRF-TOKEN but with different domain value. I use this settings for Axios, so Axios take token from cookies and set it to headers: axios.defaults.xsrfCookieName =…
Fyodor Khruschov
  • 1,657
  • 7
  • 23
  • 40
0
votes
0 answers

How to send a POST request with Postman through Spring's CSRF

So, I am developing a very basic blog using spring boot, and as I am getting to the controllers layer, I want to test with Postman. GET requests are working perfectly fine, but POST requests are getting 403 forbidden. I have been doing a lot of…
Tamsin-chan
  • 15
  • 2
0
votes
0 answers

API that takes csrf token in response cookie and uses as xsrf-token header in further request

can anyone please suggest me any open API that takes csrf token in response of API request lets say login and then in further requests it accepts x-xsrf-token header with the same value that was received in response of csrftoken inside set-cookie
advait
  • 1
0
votes
0 answers

Simulate a login to succesfully POST to a diffrent page

We have a self-hosted snipe-it instance. Sadly at the moment API-token creation is only possible via Website and we are waiting for the feature. In the mean time we trying to achieve the API-token creation via a different approach: Since the…
MaKaNu
  • 762
  • 8
  • 25
0
votes
1 answer

Django Rest Framework says CSRF verification failed despite CSRF token is included in axios POST header

I have following react code to make call to django rest framework API: import Cookies from 'js-cookie'; import axios from "axios"; async downloadVideowiseCSV (fromDate, toDate) { var url = '/stat/getStats/'; const axiosInstance =…
Rnj
  • 1,067
  • 1
  • 8
  • 23
0
votes
3 answers

Is AntiForgeryToken required in three tier application?

My security scan detected issue of type "Missing AntiForgeryToken implementation". My application has a layer of .netCore WebApi services, a .netCore WebApi with RazorPages service and a Angular front-end application. Reading online all CSRF Token…
Massimo Lavermicocca
  • 135
  • 1
  • 5
  • 11
0
votes
1 answer

How does a xsrf token cookie protect against csrf?

Wouldn't a malicious site be able to read the cookie using xss cookie stealing and put it in the header of an ajax request?
Evert
  • 2,022
  • 1
  • 20
  • 29
0
votes
1 answer

Changes in Client side if we are Setting HttpCookie.HttpOnly as true

In .net Core with we use Configure antiforgery features with IAntiforgery along with [ValidateAntiForgeryToken] or AutoValidateAntiforgeryToken to Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks. To configure antiforgery feature in…
Zeeshan
  • 484
  • 1
  • 5
  • 19
0
votes
1 answer

What does the first 'X' in 'X-XSS-Protection', 'X-XSRF-TOKEN', and other similar HTTP headers signify?

It seems like just an arbitrary repetition, but I assume it must have some meaning. Else why not just call them 'XSS-Protection' and 'XSRF-TOKEN', respectively? If I knew the answer, the question of whether there is some rule-of-thumb regarding…
Jimbo1987
  • 111
  • 1
  • 16
1 2 3
4
5 6 7