Jezz Santos - 394 - Oct 10, 2014

Can I open a discussion on how to apply CSRF protection on a ServiceStack API when consumed by a javascript client (such as an angularjs client).
I am looking for implementation patterns that have been proven to work. Has anyone got one working?

Seems the strategy for AngularJS is to set a XSRF-TOKEN Cookie with a Token that AngularJS will read and post back for non-GET requests in the X-XSRF-TOKEN HTTP Header:

Jezz Santos:

So, more specifically what I am looking for is implmentation patterns involving ServiceStack.

Angular makes the suggestion for the channel mechanism (only) by which the data can be passed (i.e. XSRF-TOKEN).
But it makes no recommendation as to when and how the token is first created, and persisted/updated by client (presuming thatthe API will continuously create new tokens over time for the client to use for each POST/PUT/DELETE)

So, I was looking at strategies people have used to add this CSRF aspect to their solutions.
(The discussion was meant to weigh up different options, since there seems to be no standard ways to do this yet. At least no one seems to have shared theirs yet)

Ivan Fioravanti:

Hi Jeff, why you’d like to change the token for each operation? We create it once during user authentication as a digest of the SessionId with a random salt and send it back to client. AngularJS will send it back to each request in both cookie and header and you can use a global filter to check of they match.
Just keep in mind that if you use CORS (i.e. www. calling api.) you’ll have to implement additional checks like: origin and refer matching if present.

Hope this helps

Jezz Santos:

Thanks Ivan, I will look at that

Jezz Santos:

+Ivan Fioravanti Ivan can you tell me how you took a digest of the authentication cookie in MVC? I am missing that one piece of implmentation