Laravel在api中间件上启用csrf保护

Laravel在api中间件上启用csrf保护

本文介绍了Laravel在api中间件上启用csrf保护的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用Laravel 5.4,而我的路线在api中间件中

我看到我需要将路由转移到Web中间件,但是由于我正在创建RESTful api,因此我需要将它们放置在api中间件上,有关如何操作的任何建议我可以将CSRF与api中间件一起使用吗?

解决方案

CSRF保护可防止使用先前通过身份验证的用户的攻击(通常使用会话设置状态) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).

宁静的API没有状态 https://en.wikipedia.org/wiki/Representational_state_transfer,因此没有会​​话可供攻击.因此,在Restful API中,CSRF保护是在每个请求上对用户进行身份验证,如果您仅在第一个请求上对用户进行身份验证,并在随后的请求中使用会话,则您不是在使用Restfull API,而是应使用Web中间件. /p>

如果您没有任何状态,如何将CSRF令牌获取给客户端?

I'm working on Laravel 5.4 and my routes are in the api middleware

I see that I need to transfer my routes to the web middleware, but I need them to be on the api middleware since I'm creating a RESTful api, any suggestions on howI could use csrf with api middleware?

解决方案

CSRF protection prevents attacks using a previously authenticated user (normally setting a state using session) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).

A restful API do not have state https://en.wikipedia.org/wiki/Representational_state_transfer, so there is no session to attack. So in a restful API the CSRF protection is to authenticate the user on each request, if you are only authenticating the user on the first request and use session for the following requests you are not making a restfull API and should use the web middleware.

Edit:How are you going to get the CSRF token to the client if you don't have any state?

这篇关于Laravel在api中间件上启用csrf保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 01:08