-
Notifications
You must be signed in to change notification settings - Fork 652
JWT_AUTH_COOKIE makes APIs CSRF vulnerable. #338
Comments
How is that? please explain. |
@Mahmoodi ? input please. |
@Mahmoodi is right. Because JWT is saved in a cookie, it will be automatically sent with every request, causing successful authentication without any need to add JWT to request header by the application. Because of this, it is generally vulterable to CSRF in exactly the same way as usual cookie session, so actually there is no need to provide any example here as general CSRF vulnarability examples could be applied here. |
Hey @klis87 thanks for jump in, yeah I got that from @Radobilly's links and some googling .. I will write some docs and will update this ticket so you can proofread and add/delete more info to the main docs. |
Please correct me if I'm wrong, but seems to me that default Django CSRF protection, if used correctly, prevents problems: https://docs.djangoproject.com/en/1.11/ref/csrf/ https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage also says that:
Update: Ah ok, I see one more thing now. Django's CSRF tokens will be generated if one has |
Any update on this? |
I noticed this risk and created a pull request adding an option to handle csrf protection when using JWT in http-only cookie. Now I see it's an open issue, for those interested, check out #434 and maybe we can close this. |
Perhaps this post might be illuminating? |
It is @CapedHero, that is the behaviour that you get when using #434. |
As well as requiring CSRF protection, shouldn't JWT_AUTH_COOKIE also be set with the Secure flag? |
The Secure flag prevents the cookie from being sent over non-https connections, protecting it from eavesdropping among other things. Some users might want to protect their apps from CSRF and XSS while allowing them to work over http. In that case, the Secure flag would not be a suitable choice. That said, using https and the Secure flag is of course advisable whenever possible. |
Perhaps use the Secure flag by default and have an option to turn it off then? |
There is currently no way to customise the cookie settings. It would be really useful to have the choice to set them, especially the |
Yes @pou426 you can customize it the way you want using |
Using the JWT_AUTH_COOKIE is vulnerable to CSRF attacks and this is not mentioned in the documentation nor mitigated against in the code.
The text was updated successfully, but these errors were encountered: