DEV Community


Discussion on: Protect your application from CSRF attacks

nikosdev profile image
Nikos Kanakis

Nice article Omer 👍
I have a question: Do you need to add csrf protection if you write an api ?
Aren't you safe enough if you accept json only content type and configure cors correctly ?

omerxx profile image
Omer Hamerman Author

Hi Nikos!
The question is whether the API is authenticating users before letting them interact with it. If you don’t use cookies or basic auth, then like you said there’s no CSRF vector to protect from.
CORS is a very good starting point and accepting JSON only will make sure you don’t accidentally expose yourself to XXE. But I’m assuming that by configuring CORS you are allowing specific domains to access the API? If that’s the case then it’s still your responsibility to provide them with tokens.
Bottom line is, if there’s no cookie that sits in a browser, still valid and can be joined to incoming requests, then CSRF is out of the picture.
I hope this helps. Let me know what you think