1

I need to protect my API for CSRF on post and put requests.

To do that, I think the mobile device (example iOS) need to send to the API server (node.js) a token. This token must be encrypted and contain a JSON data that will be decrypted server side.

To decrypt the data, the mobile device use the same secret key that the sever know.

For example : {_csrf: 123456789} will be decrypted from the token sent via the mobile device and checked by the API if it match.

  1. Is it the right way ? If not what is the right way ?

  2. How I can encrypt a Jon data on iOS and decrypt it on node.js ? (JWT Token does not have library for iOS)

Can you provide me a example code to encrypt data on iOS et decrypt on node.js ?

Improve this question

2 Answers 2

Reset to default
1

Just use https, it encrypts everything, even any query string.

The content is encrypted with a random symmetric key and that key is encrypted with a asymmetric key from the certificate. Additionally the symmetric key has a short lifetime. Additionally you do not have to implements and encryption routines.

Also note that iOS9 will by default require https to be used for all connections, any http connections will need to be white-listed in the plist.

If you do your own encryption you immediately have a problem sharing the encryption key between the device and the server. This is not an easy problem to solve.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This will NOT protect from CSRF. This is not secure at all. With CSRF, the browser itself is the problem. You must still protect against CSRF.
There is no potential CSRF attack because there is no browser.
"I need to protect my API for CSRF on post and put requests." "Just use https..." Yes, this is the part that is not secure. HTTPS does not protect against CSRF. Sorry if I came off a little strong. @zaph
Yes, I see your comments -- there is no browser. You might want to update your answer to read, "HTTPS is fine... as long as there is no browser." Otherwise, the question reads "protect against CSRF" and your answer reads, "just use HTTPS."
0

When accessing the API from a browser page, to protect against CSRF, you can send a token in HTTP headers, for example, X-CSRF-Token, or, use a cookie.

For example, have your server send the CSRF token in an HTTP response using the X-CSRF-Token header. You can have your page send it back in the JSON on the POST or PUT. Or have your page read it from the cookie and put it into the JSON.

(HTTPS from the browser will not protect against CSRF, since any script on any other site running in the same browser can POST to your HTTPS server freely. Your page needs to have a token that no other page in the same browser has access to.)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.