SPA, site using oauth2 api - i need csrf protection

Question

SPA, site using oauth2 api - i need csrf protection

My site is a complete SPA and all authenticated user requests are made using an access token, the only form that non-authenticated users have access to is the login form. So do you need csrf protection? What potential security issues could arise if I disable csrf protection from my site? Thank.

+3

javascript security php web single-page-application

bruddah Jul 29. 17 at 14:31

source to share

1 answer

BeetleJuice · Accepted Answer · 2017-07-29T20:59:09+0000

If I understand your setup it looks like this:

POST user credentials (ex: login form)
The server returns an authentication token in response
The user includes the token in the request header with each subsequent request

If this is accurate and assuming you are using TLS and validating tokens correctly, I think you are already well protected against cross-site-request-forgery.

A typical CSRF defense is to send a token that only a legitimate website can see (for example, by setting a cookie), and then expect the same token to be returned either in the headers of subsequent requests and in the request parameters (not good idea) or request body. Token based authentication like yours already meets these requirements.

In short, if a malicious site can bypass your CSRF setup, then the villainous site can probably use the same vulnerability to defeat typical CSRF defenses.

SPA, site using oauth2 api - i need csrf protection

More articles: