{"id":138,"date":"2017-03-05T23:38:07","date_gmt":"2017-03-05T23:38:07","guid":{"rendered":"http:\/\/www.bhoomabrsr.com\/blog\/?p=138"},"modified":"2019-11-11T02:13:31","modified_gmt":"2019-11-11T02:13:31","slug":"angular-js-1-x-security-csrf-protection","status":"publish","type":"post","link":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/2017\/03\/05\/angular-js-1-x-security-csrf-protection\/","title":{"rendered":"Angular JS 1.x Security CSRF Protection"},"content":{"rendered":"<p><em>Defination: (Source:wiki)<\/em><br \/>\nCross-site request forgery is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website.<br \/>\n(or)<br \/>\nCross-site request forgery, also known as one-click attack or session riding and abbreviated as <strong>CSRF<\/strong> or <strong>XSRF<\/strong>, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.<br \/>\nPrevention methods:<\/p>\n<ol>\n<li>Check standard headers to verify the request from&nbsp;same origin or not<\/li>\n<li>Check CSRF token and it&#8217;s validity against to user session Id.<\/li>\n<\/ol>\n<p>AngularJS will support by default to avoid CSRF attacks, we need to send&nbsp;<strong>XSRF-TOKEN<\/strong>&nbsp;into browsers cookie, then angular will automatically pick and append&nbsp;<strong>X-XSRF-TOKEN&nbsp;<\/strong>as a header.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-139\" src=\"https:\/\/www.bhoomabrsr.com\/blog\/wp-content\/uploads\/2017\/03\/xsrf.png\" alt=\"\" width=\"471\" height=\"180\"><br \/>\nCookie info:<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-147\" src=\"https:\/\/www.bhoomabrsr.com\/blog\/wp-content\/uploads\/2017\/03\/cookie-1.png\" alt=\"\" width=\"279\" height=\"259\"><br \/>\nAngularJS with a general $http promise will prepare header with&nbsp;<strong>X-XSRF-TOKEN<\/strong>, if one of the domain cookies contains a token with&nbsp;<strong>XSRF-TOKEN<\/strong>&nbsp;key name.<br \/>\nIf we want to change HTTP header key name,&nbsp;with custom&nbsp;&nbsp;XSRF token we need to provide&nbsp;<strong>defaults.xsrfHeaderName <\/strong>so that angular will prepare&nbsp;with custom token key.<br \/>\nPlease check below code snap from angularJS framework for better understanding of how it works:<\/p>\n<pre class=\"brush: jscript; title: ; notranslate\" title=\"\">\nvar xsrfValue = urlIsSameOrigin(config.url) ?\n     $$cookieReader()&#x5B;config.xsrfCookieName || defaults.xsrfCookieName]\n     : undefined;\nif (xsrfValue) {\n  reqHeaders&#x5B;(config.xsrfHeaderName || defaults.xsrfHeaderName)] = xsrfValue;\n}\n<\/pre>\n<p>And check out this working example, inspect HTTP headers via developer tools.<\/p>\n<pre class=\"brush: jscript; title: ; notranslate\" title=\"\">\n var app = angular.module('csrf_example', &#x5B;]);\n app.controller('MainCtrl', function($scope, $log, $http) {\n document.cookie = \"XSRF-TOKEN=sjdjsdjsdbjhfg\";\n $http.get('path').then(function() {\n console.log('Network call done!');\n });\n });\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Defination: (Source:wiki) Cross-site request forgery is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. (or) Cross-site request forgery, also known as one-click attack or&hellip; <a href=\"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/2017\/03\/05\/angular-js-1-x-security-csrf-protection\/\">More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,3,11,15,20,21],"tags":[26,31,32],"class_list":["post-138","post","type-post","status-publish","format-standard","hentry","category-angular","category-angular-1-4","category-csrf","category-javascript","category-web-security","category-xsrf","tag-csrf","tag-web-security","tag-xsrf"],"_links":{"self":[{"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=138"}],"version-history":[{"count":2,"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/138\/revisions"}],"predecessor-version":[{"id":202,"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/138\/revisions\/202"}],"wp:attachment":[{"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bhoomabrsr.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}