DEV Community

loading...

Discussion on: Protect your application from CSRF attacks

Collapse
omerxx profile image
Omer Hamerman Author

Hi Nikos!
The question is whether the API is authenticating users before letting them interact with it. If you don’t use cookies or basic auth, then like you said there’s no CSRF vector to protect from.
CORS is a very good starting point and accepting JSON only will make sure you don’t accidentally expose yourself to XXE. But I’m assuming that by configuring CORS you are allowing specific domains to access the API? If that’s the case then it’s still your responsibility to provide them with tokens.
Bottom line is, if there’s no cookie that sits in a browser, still valid and can be joined to incoming requests, then CSRF is out of the picture.
I hope this helps. Let me know what you think