Closed Bug 880894 Opened 12 years ago Closed 12 years ago

Implement CSRF protection for MakeAPI

Categories

(Webmaker Graveyard :: MakeAPI, defect)

defect
Not set
blocker

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jon, Assigned: cade)

Details

(Whiteboard: s=2013w24 p=1)

Attachments

(1 file)

No description provided.
No longer blocks: 880900
Whiteboard: s=2013w24 → s=2013w24 p=1
Assignee: pomax → chris
This patch adds the express.csrf() middleware to routes that use our Webmaker SSO to make authenticated API calls. ( The Login/Admin pages ) I added the option for a csrf token in the Make API client code so that it can be applied to the header of requests. Regular routes that are used by our trusted apps and through basic authentication do not need csrf protection since they can't be loaded into an iframe and abused by an attacker. Also, searching doesn't change the state of the session/database and thus does not need CSRF protection either.
Attachment #760395 - Flags: review?(jon)
Severity: normal → blocker
Comment on attachment 760395 [details] [review] https://github.com/mozilla/MakeAPI/pull/81 r+ with nits, I think you can delete the reference to the CSRF token in the node strategy.
Attachment #760395 - Flags: review?(jon) → review+
Commit pushed to master at https://github.com/mozilla/MakeAPI https://github.com/mozilla/MakeAPI/commit/673b62980eff38522fdc870d8bc0994dd300de3f Fix Bug 880894 - Add CSRF middleware to protect vulnerable admin routes and paths
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Attachment mime type: text/plain → text/x-github-pull-request
I,m the only user Jeffery hill Sr of 2300 so caraway rd rm 207 Jonesboro AR 72401 3134559189,Jefferyhill835@yahoo.com,ho
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: