Home > OS >  How protect from CSRF Login and Register endpoints (views) of an API created with DRF which use JWT
How protect from CSRF Login and Register endpoints (views) of an API created with DRF which use JWT

Time:12-31

I have been searching and reading other questions and blogs, but I didn't find anything concrete about my doubt.

A little of context:

I am developing a SPA which works with a REST API in Django by means of Django Rest Framework (DRF) and the authentication is made it through Bearer token: JWT (package 'Simple JWT'). So, I was reading whether it needs protection against CSRF:

Do I need CSRF token if I'm using Bearer JWT?

Should I use CSRF protection on Rest API endpoints?

The Web API Authentication guide, Bearer tokens

Basically if the browser does not make an automatically authentication (with sessions or some kind of cookie), the odds of a CSRF vulnerability are slim. This approach is achieved with the Bearer Tokens using the JWT inside the 'Authorization' header.

Updated: In this developing stage it is setted Django-CORS, but in production it will be configured a proxy through Nginx. Avoiding CORS attacks.

The problem:

There are some public endpoints, that don't need authentication, so I used this permission in DRF settings

'DEFAULT_PERMISSION_CLASSES': ['rest_framework.permissions.IsAuthenticatedOrReadOnly'],

This way, unauthorized users only can make safe requests -methods: GET, HEAD and OPTIONS-. The users, with a JWT, can perform any kind of request.

Login and register views works through POST requests due to modify the state of the application. The issue is the above permission avoids that the 'anonymous' (to call it in somehow) user from being able to register or login. The question is, how do I protect them?

I have thought in maybe change the permission to these views to 'AllowAny'. But I don't know if this returns the concern about CSRF, because there is no Bearer token here, or perhaps other security vulnerabilities that I can't even imagine.

Another possibility is to only use the CSRF token in these views.

Or is there any better approach to protect these two endpoints?

I hope someone will be able to help me!

CodePudding user response:

You can use CSRF tokens in your login and registration forms, and this will sufficiently protect you from CSRF attacks against these endpoints. You would then have to obviously allow for anonymous access to these endpoints. It's usual that login and registration endpoints are not behind a firewall and are accessible to anonymous users.

Page link:https//www.codepudding.com/os/246261.html

Prev:Cannot reach the cookies with Response.Cookies method in .net Core
Next:Get integer prediction for regressor models with sklearn
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding