Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 12 months ago.
The community reviewed whether to reopen this question 12 months ago and left it closed:
Needs more focus Update the question so it focuses on one problem only by editing this post.
Improve this question
I want to prevent CSRF attacks on my API (Express app nodejs)
I searched google and youtube but I can't find way to do it. On the youtube tutorial it said generate a token and send it to the client side but won't the hacker just send a request to get csrf token and bypass the csrf thingy? I'm confused please help.
A traditional CSRF attack works by placing a pre-populated form on the the attacker's site and submitting it cross-origin. It then uses credentials that are automatically sent with the request to send the attacker's data under the guise of the browser owner's identity.
By putting a token in both the cookies (or session) and the form and checking to see if they match, you can defend against this. The attacker can't just send a request to get the CSRF token because:
If they get the user to make the request then the Same Origin Policy prevents them from reading the response with the token in it
If they make the request directly then they won't have the user's cookies so will get a different (non-matching) token
When you are dealing with a web service (and you need to make that API work across origins), things are different. The key defence here is to design the API so either:
The credentials go somewhere where they won't be sent automatically (e.g. in an Authorization header) so the attacker can't make the request with them.
The request is in a format where it requires a CORS preflight request to send (e.g. with a Content-Type: application/json request header).
… or both.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 3 days ago.
This post was edited and submitted for review yesterday.
Improve this question
I am using a JavaScript script embedded on a third-party website to make an API call to our server. We are using Cross-Origin Resource Sharing so that the script on the third-party website can read the response of our API. The CORS headers are set by the cors npm-plugin, and everything works fine if the API response is immediate (doesn't take more than a few ms).
However, if there is even a slight delay (few hundred ms) due to database lookups etc., the API call fails with the generic message "failed to fetch".
Failed to fetch error + network tab in the dev console
The API call is a POST request with a JSON body, so a CORS preflight request is also initiated by the browser.
So far I have concluded that it must be a CORS issue, since the API call processes fine on the server side, however the response isn't accessible on the third-party website. The thing I don't understand is why is it working if there is no delay, but if there is a delay (even an artificial one, with setTimeout and no other changes), it doesn't work anymore. I could also add that in Postman or even executing the fetch request locally in a node.js script, everything works fine even with delays of 2 seconds or more. That's why I don't think it is a server side issue, but not 100% sure of course.
This is the fetch request from the script that is embedded on the third-party website:
The fetch request
I don't think it would be a misconfiguration on the server side, since it's just a plain POST endpoint with JSON and the npm "cors" plugin for handling the CORS headers. It's a node.js server built with "express", nothing out of the ordinary there. We are using the cors package without any additional configuration, simply with:
app.use(cors());
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am trying out some sample code from an Auth0 blog post, Prevent Cross-Site Request Forgery (CSRF) Attacks.
There are two servers being setup, a vulnerable site at localhost:3000 and the attacker's site at localhost:4000. The attacker's site makes a POST request to the vulnerable site using a hidden form, and the vulnerable site accepts the attacker's data.
I checked the attackers POST request, and the origin and the referer headers are both localhost:4000. Since it is making a request to localhost:3000, why doesn't the browser throw a CORS error?
The localhost:3000 server does not implement any kind of CORS policy.
The sample code is in the repo https://github.com/auth0-blog/csrf-sample-app.git.
The purpose of CORS is not to increase security, but to allow new kinds of cross-origin communication. The approach in this code (cross-origin form posting) is an old kind of cross-origin request that has always been allowed by browsers, and is explicitly exempted from the newer CORS mechanisms.
Because this kind of attack has always been possible, sites have always needed CSRF protection against it. I assume that the authors of the article chose this method specifically to avoid the additional complexity of having to explain the CORS protocol.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Hi there guys I am using Flask for my backends so if I wanna send a request from client (js) to my backend (flask) I will normally use fetch()in js to send a request and I receive in my backend but the problem is that using Chrome developer tools all the guys are seeing to where I am sending a request and like I am geting tons of unwanted request to my backend which I not sent by my client(js) so guys are sending any way to prevent it
I have also tried API auth but the problem is they are seeing my API keys and sending request please help me
The browser belongs to the user. It is completely under their control.
It is impossible to send data from the browser without the user being able to inspect it.
You can't secure the browser from the user who owns it.
There is no way to restrict an API so that it can only be accessed by your code running in the user's browser.
While every thing on the client belongs to the client , HTTP response headers can be leveraged to tighten up the security of web apps, typically just by adding a few lines of code. Depending on the technology your using
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I'm working with an api that is formatted in XML and it hasn't been secured/received an SSL certificate (HTTPS). Is there a way to bypass this and display the data?
I've tested to make sure it wasn't my code that was the problem. I'm using a simple fetch to output the code in my console. It works properly with other secure api's like the star wars api.
fetch(Url)
.then(data => {
return data.xml()
})
.then(res => {
console.log(res)
})
I'm just trying to output basic data in either JSON or XML format
When on an HTTPS connection, you cannot connect to an HTTP endpoint like you're trying.
The best solution would be to fix the API so that it supports HTTPS, but if that's not possible, you can bounce the request off of your own (HTTPS-enabled) backend, have that backend make the HTTP request to the API, and have your backend reply with the response it receives.
If this is for your own testing and not for a production facing site I'd try adding the http endpoint to this Chrome flag:
You can get to Chrome flags by putting chrome://flags in the Chrome address bar.
Note: I haven't tested this. It's entirely possible this is only useful for "powerful features" as described here.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Scenario:
I have a webserver running php, I want to be able to be able to securely send a request to a separate server running nodejs and get a response back.
The node server will never need to send anything to the webserver by itself, e.g notifications/updates. So I don't think I need the 2 way communications that websockets would provide.
PHP sends a request to node, node processes the request, sends back data (most likely in JSON), php continues with it's script using the returned data.
Problem
I own the server running node, but the webserver is out in the wild. I need a way of making sure that any requests that come in to the node server are actually from the webserver not someone/something else, and I need the request and response data to be encrypted.
I have gathered I don't want to rely on something simple like checking ip addresses, I know that the webserver and the node sever will have to both have some shared secret information/algorithms to encode data. I could have a go at implementing this myself, but I know this problem is already solved with some encryption protocol / libraries.
I'm familiar with the concepts of encryption and keys, but I have never had to implement them.
Question
What is the best way to go about this?
What kind of encryption should/can I use, that is both supported by php and nodeJs?
What would be the potential security threats, if any?
I would suggest interact between two web servers using REST APIs.
REST APIs are used in these types of implementations.
If you can build proper authentication strategy, then the communication should be secure. If you enable SSL on Node, the communication will be encrypted. You can also limit by IP addresses, hostnames, and user agent strings.
Token based authentication with SSL should be good enough security. Utilize a strategy that implements nonce, and always have the tokens expire.
Implement CSRF strategy to prevent MITM attacks.
Build a token-based strategy that relies on common encryption methods, such as:
OAuth2
WSSE on Symfony2
CSRF on Express