Fork me on GitHub
#reitit
<
2023-11-08
>
e10:11:40

Is there a standard receipe for preventing https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html when using Reitit for the backend of a SPA? We don't use <form>s ourselves but a third site could still I guess POST to our site if they got the user to click on a <form> button pointing to our apps' POST endpoint

e10:11:03

I'm thinking of checking the Origin header

Martín Varela14:11:45

There's no built-in support for CORS in reitit yet, but it's possible to get it working. You can have a look at this issue for some ideas: https://github.com/metosin/reitit/issues/236

👍 1
dvingo20:11:22

If you're using :middleware (as opposed to :interceptors) then you can use https://github.com/ring-clojure/ring-anti-forgery/blob/master/src/ring/middleware/anti_forgery.clj but for SPA beware that this is designed for server rendered apps I am using a custom session strategy adapted from the ring-lib one to ensure the token is always set on the session response (vs the default which doesn't always apply it https://github.com/ring-clojure/ring-anti-forgery/blob/c7db424a17cb483759f8336a1f435f1ec67b72e6/src/ring/middleware/anti_forgery/session.clj#L22)

dvingo20:11:47

to complete the "recipe" your handler that renders the page html will embed the token in a js variable (the token is set on the request hashmap via the middleware) then your js/cljs can read that token and set as a header in your API fetch calls

e13:11:18

thanks for the ideas. i think by https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html we can get by without the tokens, using eg the custom header or the origin check way, if we are satisfied to defend only against blind POST request, and are satisfied that blind GETs won't hurt us. also one thing that in tests made our app more prone to the "form on third party site" misuse case was lack of content-type checking, perhaps our muuntaja is not configured right.. so the 3rd party site form originated POST request to our endpoint gets sent with the application/x-www-form-urlencoded content-type.

👍 1