Csrf protection in microservices

[Rohit Goel]

Hi All,

Please can anyone help, what is the correct method to protect apis from CSRF. Considering the technology used is angular js for front end and apis as services at server end. 

As per my understanding verification of XHR requests, when API call is made, is something which mitigates the issue however can the recommendation of csrf token be used for API endpoints? 

Thanks

Rohit

[TAS]

RESTful end points are generally authenticated using something like OAUTH or JWT. Once the authentication is successful, you set a custom header with the access token in it incase if OAUTH or bearer token in case of JWT. Setting custom headers is only possible using AJAX.  Now the only way I can think of executing a CSRF successful in absence of CSRF protection is if you have XSS. However you can still set another custom header for CSRF too. I vaguely recall seeing such an implementation on twitter.com or api.twitter.com.

Hope that helps.

TAS

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.