garyburgmann / drf-firebase-auth

Firebase backend to receive a user idToken and authenticate via Django REST Framework 'authentication.BaseAuthentication'. Optionally, a new local user can be created in the process.
MIT License
128 stars 62 forks source link

Should I use CSRF sessionauthentication with drf-firebase-auth? #29

Closed Arka-cell closed 3 years ago

Arka-cell commented 3 years ago

I am currently using drf-firebase-auth with vue.js and I don't know if I should implement CSRF with Djangorestframework. Should I look on how to do it? And should I be concerned or not if I am not using it? I don't know too much about security, and I don't want to leave a vulnerability in my website. I checked the following explanation and it says:

TokenAuthentication. This requires clients to pass a token in the Authorization header of each request. This is the kind of authentication you should use for most client-server setups, like a mobile app or desktop app consuming your API.

This kind of auth doesn’t require CSRF protection. The token isn’t stored in a cookie, so it doesn’t get sent automatically by your browser, which means it can’t cause CSRF vulnerabilities.

What's your opinion on this?