CSRF
CSRF
Spelling isCross Site Request Forgery
, cross-site request forgery translated.CSRF
Attacker stole your identity to send malicious request on your behalf.- Including: to send the name of your e-mail, messaging, steal your account, and even the purchase of goods, virtual currency transfer ......
- Problems caused by: disclosure of personal privacy and property safety.
CSRF attacks schematic
- The client did not do the same server security verification when accessing the server
Prevent CSRF attacks
step
- When the client requests the interface data to the rear, the rear end is set to the value of the response csrf_token a cookie
- Add in the Form of a hidden form field value is also csrf_token
- When the user clicks submit, we will bring these two values initiates a request to the background
- Back-end receives a request to the following will be several events:
- Removed from the cookie csrf_token
- Removed from the form data values of hidden csrf_token
- comparing
- If the comparison value as after two, it is representative of a normal request, if not to take the same or less, representing a request not normal, the next step is not performed