July 2017
Beginner to intermediate
358 pages
10h 54m
English
XSS and CRSF only apply when your API is going to be used from a web browser, such as in a single page app or a direct JavaScript call. However, to protect against an attacker injecting malicious JavaScript that can retrieve your session token, you should make sure that it is stored in a cookie that is marked as HTTP-only, and that you only ever send them over HTTPS to stop them being captured in transit. In addition to this, we can add a layer of security that checks the HTTP referrer sent by the browser against the expected domain. While it is possible to fake the HTTP referrer using something like cURL, it is not possible or incredibly difficult to do this from JavaScript ...
Read now
Unlock full access