CSRF Token in Authenticated REST API

Question

CSRF Token in Authenticated REST API

I understood the purpose of protecting CSRF Token .

However, I believe that this protection is useless and we should remove it in the case of a REST API that requires an authentication token in the header for every action. p>

Thus, even if Mallory forges a malicious HTML link for Alice, the attack cannot be performed. The reason is that:

Alice stores the authentication information in a key that Mallory doesn't know about. And unlike cookies, Alice's browser does not automatically send this authentication token.

So in this context, I would like you to take a look at the question: can we remove CSRF marker protection from this kind of API design?

+3

authentication rest http-headers restful-authentication csrf

Zag zag .. Jul 25 15 at 11:17

source to share

1 answer

MvdD · Accepted Answer · 2015-07-25T16:55:06+0000

Yes, you don't need CSRF protection when using bearer scheme authentication as the browser doesn't automatically add an authorization header to the request.

You need CSRF protection for cookie, database, windows, digest and client certificates authentication schemes as they are automatically added by the browser.

See also Dominic Bayer's article on Implicit vs Explicit Authentication: http://leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/

CSRF Token in Authenticated REST API

More articles: