Comments (5)
@justinas where is the pad randomized for every request? I couldn't find it
Update: found it. ctxSetToken
called on every valid-looking request while invalid requests get an error and empty requests get a new token with pad. This does not interfere with fetching the sent token which is not placed in the context.
from nosurf.
Also, it seems like this https://github.com/justinas/nosurf/blob/master/handler_test.go#L243 is doing the token masking on the client side. Is that what I should be doing in javascript before an ajax call?
from nosurf.
Tokens are masked when used in the HTML form (acquired by calling Token(r)
). You should use the same value for AJAX.
I assumed only masking the form values was enough, but it would be nice to check if it's susceptible to BREACH that way.
from nosurf.
Ok. Maybe I'm just misunderstanding how the X-CSRF-Token
header is meant to be used. I had assumed you were meant to take the value of the cookie, and use that as the header value in your response, but I think that you are saying that you should actually pass the result of Token(r)
to your javascript app somehow (rendering into a form/page, etc), and use that as the X-CSRF-Token
header value. And that your JS app should not touch the cookie or use it's value for anything. Additionally, you should use a different value of Token(r)
for each form, so as to not re-use a one-time-pad. Is all that correct?
Thanks for your help. I'm just trying to make sure I get this right.
from nosurf.
Yes, the intended way is to take Token(r)
. The cookie might as well be HttpOnly. Reusing the single value from Token(r)
should be fine, as BREACH requires many requests to recover secrets and the pad is randomized for every request.
from nosurf.
Related Issues (20)
- Filtering out safe methods and excluded paths HOT 2
- Token value error HOT 6
- Send a response body in defaultFailureHandler HOT 2
- please consider updating tags or deleting the current tag HOT 3
- example is insecure HOT 4
- Remove Referer check HOT 1
- Possible flaw HOT 2
- SetBaseCookie not having effect HOT 8
- Wiki page for newbies doubts and problems
- Doubts about many cookies and many Path for a single domain. HOT 13
- Prevent form resubmit HOT 1
- Logging HOT 1
- Combining Session and CSRF cookie HOT 3
- Is this normal behavior? HOT 5
- RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set
- How does nosurf OTP protect against BREACH? HOT 5
- Inappropriate key in call to `context.WithValue`
- Ability to handle multiple cookies in context HOT 5
- Installing command of `nosurf` is missing in README.md
- CSRF failed with bad request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosurf.