If I have:
- A web front-end on one domain.
- A REST API on another domain.
- The REST API server configured to only allow cross origin requests from the web front-end domain by setting header Access-Control-Allow-Origin to the web front-end domain.
Aside from more hoops to jump through, what additional security does CSRF provide? Attackers can t POST to my backend without first injecting their code into the web front-end, right?
http://stackoverflow.com/questions/10741339/do-csrf-attack-worries-apply-to-apis http://stackoverflow.com/questions/10741339/do-csrf-attack-worries-apply-to-apis
In my configuration, with CORS properly configured, do I need to decorate GET, POST, PUT, DELETE requests coming from the web front-end with the Cookie and the data element CSRF token?
Meta :
http://stackoverflow.com/questions/10741339/do-csrf-attack-worries-apply-to-apis http://stackoverflow.com/questions/10741339/do-csrf-attack-worries-apply-to-apis http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/ http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/ http://stackoverflow.com/questions/24680302/csrf-protection-with-cors-origin-header-vs-csrf-token http://stackoverflow.com/questions/24680302/csrf-protection-with-cors-origin-header-vs-csrf-token http://stackoverflow.com/questions/17507206/how-to-make-a-post-simple-json-using-django-rest-framework-csrf-token-missing-o http://stackoverflow.com/questions/17507206/how-to-make-a-post-simple-json-using-django-rest-framework-csrf-token-missing-o https://docs.djangoproject.com/en/dev/ref/csrf/#ajax https://docs.djangoproject.com/en/dev/ref/csrf/#ajax https://docs.djangoproject.com/en/dev/ref/csrf/ https://docs.djangoproject.com/en/dev/ref/csrf/ http://stackoverflow.com/questions/16501770/csrf-exempt-failure-apiview-csrf-django-rest-framework http://stackoverflow.com/questions/16501770/csrf-exempt-failure-apiview-csrf-django-rest-framework and I still need some help. Please help me flesh this idea out more.