我了解如何在ASP.NET MVC Web应用程序中保护网站免受CSRF攻击。他们提到了两种方式来实现这一点,可以通过:
using Token Verification by using
<@Html.AntiForgeryToken()>
and[ValidateAntiforgeryToken]
using HTTP referrer validation such as:
public class IsPostedFromThisSiteAttribute : AuthorizeAttribute { public override void OnAuthorize(AuthorizationContext filterContext) { if (filterContext.HttpContext != null) { if (filterContext.HttpContext.Request.UrlReferrer == null) throw new System.Web.HttpException("Invalid submission"); if (filterContext.HttpContext.Request.UrlReferrer.Host != "mysite.com") throw new System.Web.HttpException ("This form wasn't submitted from this site!"); } } }
and
[IsPostedFromThisSite] public ActionResult Register(…)
所以我对于保护我的网站免受CSRF攻击是否需要同时使用这两种方法感到困惑,还是可以选择其中一种方法?