乐闻世界logo
搜索文章和话题

How to use CSRF Token to protect against cross-site request forgery attacks?

2月21日 16:11

CSRF Token is one of the most commonly used and effective protection mechanisms against Cross-Site Request Forgery attacks.

Basic Principles of CSRF Token

A CSRF Token is a randomly generated, unpredictable string that the server generates when a user visits a protected page and embeds it into the form or passes it to the client through other means. When the user submits the form, the server verifies whether the Token included in the request matches the Token stored on the server.

Token Generation and Storage

  1. Generation Phase:

    • Use cryptographically secure random number generators
    • Token should be long enough (at least 128 bits)
    • Include information such as timestamps or session IDs
    • Can use UUID or other unique identifiers

  2. Storage Methods:

    • Server-side Session: Most common method, storing Token in user Session
    • Encrypted Cookie: Store encrypted Token in Cookie
    • Database: Store Token associated with user in database

Token Verification Process

  1. When user accesses form page, server generates Token
  2. Token is embedded in form's hidden field
  3. When user submits form, Token is sent to server with request
  4. Server verifies whether Token in request matches Token in Session
  5. If verification succeeds, process request; if fails, reject request

Implementation Example

javascript
// Generate Token
function generateCSRFToken() {
    return crypto.randomBytes(32).toString('hex');
}

// Middleware to verify Token
function csrfProtection(req, res, next) {
    const token = req.body._csrf || req.headers['x-csrf-token'];
    if (token !== req.session.csrfToken) {
        return res.status(403).send('Invalid CSRF token');
    }
    next();
}

Security Considerations for Token

  1. One-time use: Token should be updated after each request
  2. Time validity: Token should have expiration time
  3. Uniqueness: Each user session should have independent Token
  4. Unpredictability: Use cryptographically secure random number generators
  5. HTTPS transmission: Ensure Token is not stolen during transmission

Coordination with Other Protection Measures

CSRF Token is usually used in conjunction with other protection measures:

  • SameSite Cookie attribute
  • Referer header verification
  • Custom HTTP headers

This multi-layer protection strategy can provide more comprehensive security protection.

标签:CSRF
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(27)JavaScript(56)Linux(20)Rust(10)Docker(65)Mongoose(18)TypeScript(27)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)