英文:
Safe and unsafe HTTP methods relation to cross-site request forgery (CSRF)
问题
Sonar引发了关于允许GET和POST方法的后端端点的安全警报,如此处所述。
这与CSRF有何关联?
OWASP在这里解释了CSRF,但我不明白为什么在GET和POST都开放的端点会有害?如果我将其限制为仅接受POST请求的端点,攻击者仍然可以构建CSRF POST请求。
英文:
Sonar raises security alerts on backend endpoints allowing GET & POST methods, as described here.
How is it related to CSRF?
CSRF is explained by OWASP here but I don't get why having an endpoint opened in both GET & POST is harmful? If I limit it to a POST-only endpoint, the attacker can still build a CSRF POST request.
答案1
得分: 0
正如Heiko在评论中所说,Sonar假定我们正在使用一个框架,在敏感端点上为我们添加和处理CSRF令牌。
例如,Java Spring允许您根据文档中所述进行配置。Sonar假定您已经配置好它。
它考虑了POST/PUT/PATCH/DELETE请求,但不考虑GET请求,因为它假定您的代码遵循最佳实践:在GET端点中不进行数据更改。当然,您应该根据您的用例进行调整,识别哪些是您的敏感端点,并相应地进行配置。
英文:
As Heiko said in comment, Sonar assumes we're using a framework that adds and handle CSRF Token for us on sensitive endpoints.
For example, Java Spring allows you to configure it as explained in the documentation. Sonar assumes you've already configured it.
It's considering POST/PUT/PATCH/DELETE requests but not considering GET requests because it assumes that your code follows the best practice: no data alteration in GET endpoints. Of course, you should adapt it to your use case, identifying what are your sensitive endpoints and configure it accordingly.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论