search

rstudio / plumber

Turn your R code into a web API.
https://www.rplumber.io
Other
1.39k stars 256 forks source link

CSRF & Cookies #176

Open tchakravarty opened 7 years ago

tchakravarty commented 7 years ago

Hi @trestletech,

We are experimenting with developing an API using plumber and we now need to secure the API, but the sections on CSRF and cookies in the manual are sparse. Any plans to update those sections?

Specifically, is there concrete guidance on how to prevent CSRF with plumber?

Thanks.

trestletech commented 6 years ago

I wrote up most of the Cookies security section last night: https://www.rplumber.io/docs/security.html#security-cookies

Note that some of the features documented there and in https://www.rplumber.io/docs/rendering-and-output.html#setting-cookies only exist in the dev version of plumber (devtools::install_github("trestletech/plumber").

I have not documented XSRF, but honestly Plumber doesn't introduce any new requirements/quirks regarding cookie management or XSRF that any other API doesn't have. So you'd probably be fine reading other resources to get your head around XSRF and then reasoning through whether or not your API needs to be concerned or protect itself.

Eventually I'd like to put together an example that has all the "best practices" here for a Plumber API that uses cookies for authentication with a JS front-end. But no ETA on that.

tchakravarty commented 6 years ago

@trestletech ,

Thanks for this! Quick comment -- can't the preventing XSRF section also be subsumed in the cookies section by basically requiring a "password" variable in the header of the request that needs to match the password stored in the (secure) cookie? An XSRF request would have the cookie, but not the password?

Thanks,

T

trestletech commented 6 years ago

Yeah, that sounds about like the normal XSRF mediation. Where the "password" is just a random string.