A
A
alex stephen2017-10-31 10:23:35
PHP
alex stephen, 2017-10-31 10:23:35

How to make csrf form protection on a third-party resource?

In general, there is a certain widget that will be embedded in third-party sites and send an Ajax post to our api. The public part of the api-key will hang on the client. How to make it so that an attacker could not imitate these requests from a third-party resource (or just curl)? Referer is easily faked, only csrf remains. Is it possible to implement this for a third party resource?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
E
Eugene, 2017-10-31
@e-antonov

I understand correctly that you have a pluggable widget from which any user WITHOUT authorization can post data to your backend and you are wondering how to make it so that only from those places where the widget is connected can be posted, and from others No?
If I understand correctly, then maybe you should think about some kind of whitelist list of allowed resources from which you can post?
It would also be possible to probably request a csrf token from the backend when generating the widget itself and validate it when submitting it. But then who will prevent a third-party "intruder" from asking the backend for this token in the same way?
PS well, and accordingly, somehow the widget itself would be nice to authorize. You can see this in some pluggable comment widget like disqus. You register in the system and, among other things, you are given the details that are necessary to connect the script. Thus, the discus always understands that valid comments are coming from your site, which you have registered in the system, with your details that this system has given you.

V
Vitaly, 2017-10-31
@vshvydky

Maybe it's worth giving your widget through an iframe and generating a one-time key for validation after the completed fingerprint?
this of course will not save from everything, but CURL lovers will go to smoke.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question