Single Page Application and CSRF Token

by

Client side (SPA)

You only need to grab the CSRF token once per session. You can hold onto it in the browser and send it on every (non-GET) request.

Rails will appear to generate a new CSRF token on every request, but it will accept any generated token from that session. In reality, it is just masking a single token using a one-time pad per request, in order to protect against SSL BREACH attack. More details at https://stackoverflow.com/a/49783739/2016618. You don’t need to track/store these tokens.

Server side

I strongly suggest using Rails’s protect_from_forgery directive rather than encoding the CSRF token in a header yourself. It will generate a different masked token per request.

You can certainly reproduce this yourself with not that much code, but I don’t see why you’d need to.

Do you need CSRF protection with an API?

Yes! If you are authenticating with a cookie, you need CSRF protection. This is because cookies are sent with every request, so a malicious website could send a POST request to your site and perform requests on behalf of a logged in user. The CSRF token prevents this, because the malicious site won’t know the CSRF token.

More Related Contents:

  1. Uncaught ReferenceError: React is not defined
  2. How to create a translucent in React Native?
  3. ReactJS Two components communicating
  4. Difference between npx and npm?
  5. What are cookies and sessions, and how do they relate to each other?
  6. Adding new data to firebase users
  7. How to load image files with webpack file-loader
  8. Can I use arrow function in constructor of a react component?
  9. javascript change background color on click [closed]
  10. setState() inside of componentDidUpdate()
  11. React Hooks – What’s happening under the hood?
  12. How to implement a dynamic form with controlled components in ReactJS?
  13. Why do I have to .bind(this) for methods defined in React component class, but not in regular ES6 class
  14. Using a Rails helper method within a javascript asset
  15. How to send flash messages in Express 4.0?
  16. Updating source URL on HTML5 video with React
  17. Rails: Webpacker 4.2 can’t find application in /app/public/packs/manifest.json heroku
  18. React code throwing “TypeError: this.props.data.map is not a function”
  19. Why need useRef and not mutable variable?
  20. Why is React’s concept of Virtual DOM said to be more performant than dirty model checking?
  21. How to force a functional React component to render?
  22. Using a Set data structure in React’s state
  23. How to download fetch response in react as file
  24. React hook useEffect runs continuously forever/infinite loop
  25. Scroll into view in react
  26. JSX not allowed in files with extension ‘ .js’ with eslint-config-airbnb
  27. Nothing was returned from render. This usually means a return statement is missing. Or, to render nothing, return null [closed]
  28. how to render child components in react.js recursively
  29. Like button Ajax in Ruby on Rails
  30. Extending React.js components

Leave a Comment