alisaduncan / angular-security-code

Code example for built-in security mechanisms in Angular
4 stars 0 forks source link

XSRF mitigation with interceptor #1

Open paviad opened 1 year ago

paviad commented 1 year ago

Loved your talk at https://www.youtube.com/watch?v=NRg-rsMEdQs

The code doesn't include the XSRF interceptor thing, or did I miss it?

Thanks!

alisaduncan commented 1 year ago

Hey @paviad! Glad to hear it and thank you for your kind words!

You're correct, this repo doesn't include the XSRF interceptor since it requires mostly server-side code changes to see this end-to-end, which is outside of the scope of Angular.

On the Angular side, the steps are relatively straightforward: importing the HttpClientXSRFModule and configuring the cookieName and headerName as required for your system. Here's a post I wrote that documents this process (along with more info about the mitigation strategy) - Protect Your Angular App From Cross-Site Request Forgery.

On the server side, you'll have to implement verification of the XSRF Cookie value, as well as supply the cookie in the first place. It's essential to make sure you have good defenses in place for getting the initial cookie, including carefully applying SameSite cookie attribute and thoughtful consideration of CSPs, including CORs. OWASP has a great cheatsheet you might be interested in that covers this in detail - Cross-Site Request Forgery Prevention Cheat Sheet.

Hope this helps and happy secure coding!