我对使用生成的csrf令牌来保护我的Web应用程序很感兴趣。我的问题是,我需要如何将该令牌发送回服务器:使用查询参数还是HTTP标头x-csrf-token?两者有何区别?
csrf
POST参数。这是唯一可行的方式。X-CSRF-Token
头部。主要是因为如果操作正确,这样做将节省您记住为每个POST请求添加令牌的麻烦。或者,使用jQuery Form等库时,在提交时添加额外的POST参数可能会变得很繁琐。X-CSRF-Token
。因此,几乎不需要修改客户端代码。这将使您的代码更加优秀。jQuery(document).ajaxSend(function(event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
function sameOrigin(url) {
// url could be relative or scheme relative or absolute
var host = document.location.host; // host + port
var protocol = document.location.protocol;
var sr_origin = '//' + host;
var origin = protocol + sr_origin;
// Allow absolute or scheme relative URLs to same origin
return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
(url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
// or any other URL that isn't scheme relative or absolute i.e relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
function safeMethod(method) {
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrf.token'));
}
});
app.use(express.csrf())
:app.use((function(options) {
var csrf = express.csrf(options);
return function(req, res, next) {
function onCsrfCalled() {
var token = req.session._csrf;
var cookie = req.cookies['csrf.token'];
// Define a cookie if not present
if(token && cookie !== token) {
res.cookie('csrf.token', token);
}
// Define vary header
res.header('Vary', 'Cookie');
next();
}
csrf(req, res, onCsrfCalled);
}
})());
完整示例:https://github.com/senchalabs/connect/blob/master/examples/csrf.js
出现了404错误。 - slevin