Is my understanding of how to use CSRF tokens correct here?

  Kiến thức lập trình

I am writing a Todo App with a Vue frontend and a Django rest framework backend.

From what I have gathered, this would be a secure way for me to do authentication and authorization:

When the user tries to login, my frontend will send a POST request with the user’s information. The response will be some other basic user information that I will save in my pinia application state.
But a CSRF token will also be sent back (which I believe are unique).

Then my frontend will store the CSRF token in local storage as a session.

Now when the user is in my Todo App, my frontend will have to send a GET request to get the user’s tasks. Here’s where I need clarifying -> In the GET request, I will pass in the CSRF token (I believe in the header) in order to get the user’s tasks.

Is this the correct/secure way to use CSRF tokens for their intended purpose?

1

The intended purpose of CSRF token is to make sure that request is made by a legitimate entity. A legitimate entity in this case is a your frontend app. Yes, you’ll pass it to server via HTTP header.

However, CSRF token is not an alternative to user authentication and authorization. You’ll need to implement authentication mechanism first. Without that CSRF implementation is not meaningful.

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

LEAVE A COMMENT