I am writing a Todo App with a Vue
frontend and a Django rest framework
backend.
From what I have gathered, this would be a secure way for me to do authentication
and authorization
:
When the user tries to login, my frontend will send a POST
request with the user’s information. The response will be some other basic user information that I will save in my pinia
application state.
But a CSRF
token will also be sent back (which I believe are unique).
Then my frontend will store the CSRF
token in local storage as a session.
Now when the user is in my Todo App, my frontend will have to send a GET
request to get the user’s tasks. Here’s where I need clarifying -> In the GET
request, I will pass in the CSRF
token (I believe in the header) in order to get the user’s tasks.
Is this the correct/secure way to use CSRF
tokens for their intended purpose?
1
The intended purpose of CSRF
token is to make sure that request is made by a legitimate entity. A legitimate entity in this case is a your frontend app. Yes, you’ll pass it to server via HTTP header.
However, CSRF
token is not an alternative to user authentication and authorization. You’ll need to implement authentication mechanism first. Without that CSRF
implementation is not meaningful.