Nice article Omer đź‘Ť
I have a question: Do you need to add csrf protection if you write an api ?
Aren't you safe enough if you accept json only content type and configure cors correctly ?
Hi Nikos!
The question is whether the API is authenticating users before letting them interact with it. If you don’t use cookies or basic auth, then like you said there’s no CSRF vector to protect from.
CORS is a very good starting point and accepting JSON only will make sure you don’t accidentally expose yourself to XXE. But I’m assuming that by configuring CORS you are allowing specific domains to access the API? If that’s the case then it’s still your responsibility to provide them with tokens.
Bottom line is, if there’s no cookie that sits in a browser, still valid and can be joined to incoming requests, then CSRF is out of the picture.
I hope this helps. Let me know what you think
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Nice article Omer đź‘Ť
I have a question: Do you need to add csrf protection if you write an api ?
Aren't you safe enough if you accept json only content type and configure cors correctly ?
Hi Nikos!
The question is whether the API is authenticating users before letting them interact with it. If you don’t use cookies or basic auth, then like you said there’s no CSRF vector to protect from.
CORS is a very good starting point and accepting JSON only will make sure you don’t accidentally expose yourself to XXE. But I’m assuming that by configuring CORS you are allowing specific domains to access the API? If that’s the case then it’s still your responsibility to provide them with tokens.
Bottom line is, if there’s no cookie that sits in a browser, still valid and can be joined to incoming requests, then CSRF is out of the picture.
I hope this helps. Let me know what you think