node.js - How the node CSRF protection works with angular resource? -
my node server has next configuration:
app.use(express.csrf()); app.use(function (req, res, next) { res.cookie('xsrf-token', req.csrftoken()); next(); }); the token grabbed angular , send header. right? token checked out , post routes, not routes...is right?
is possible add together csrf protection routes too? need middleware?
thanks!
get requests safe , idempotent: http://www.w3.org/protocols/rfc2616/rfc2616-sec9.html
usually csrf not necessary get, head, options requests.
if needed can enable get.
all popular libs allow enable types need.
for example: can override defaults setting "ignoremethods" explicitly in https://github.com/expressjs/csurf
node.js angularjs
No comments:
Post a Comment