CSRF Token in Authenticated REST API

I understood the purpose of protecting CSRF Token .

However, I believe that this protection is useless and we should remove it in the case of a REST API that requires an authentication token in the header for every action. p>

Thus, even if Mallory forges a malicious HTML link for Alice, the attack cannot be performed. The reason is that:

Alice stores the authentication information in a key that Mallory doesn't know about. And unlike cookies, Alice's browser does not automatically send this authentication token.

So in this context, I would like you to take a look at the question: can we remove CSRF marker protection from this kind of API design?


source to share

1 answer

Yes, you don't need CSRF protection when using bearer scheme authentication as the browser doesn't automatically add an authorization header to the request.

You need CSRF protection for cookie, database, windows, digest and client certificates authentication schemes as they are automatically added by the browser.

See also Dominic Bayer's article on Implicit vs Explicit Authentication: http://leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/



All Articles