angular4 angular2 - XSRF 保护
angular4 angular2 - XSRF protection
我们目前正在使用 Slim-PHP REST 后端开发 Angular4 应用程序。现在我们要实现 XSRF 保护。 Angular2或Angular4没有官方教程,如何在客户端使用类、XSRFStrategy、CookieXSRFStrategy等? (我们在服务器端放置了一个 XSRF TOKEN cookie,并且 angular 不会发送 XSRF TOKEN-header-parameter。
我们在论坛中发现了很多话题,但是,都是个别情况...在“https://angular.io/guide/security”页面上也没有关于如何使用它的详细信息。还是我错过了什么?有人有提示吗?
谢谢!
您提供的 url 有一个 link 到 class HttpClient,您可以在其中找到以下文本:
Cross-Site Request Forgery (XSRF) is an attack technique by which the
attacker can trick an authenticated user into unknowingly executing
actions on your website. HttpClient supports a common mechanism used
to prevent XSRF attacks. When performing HTTP requests, an interceptor
reads a token from a cookie, by default XSRF-TOKEN, and sets it as an
HTTP header, X-XSRF-TOKEN. Since only code that runs on your domain
could read the cookie, the backend can be certain that the HTTP
request came from your client application and not an attacker.
这是可配置的:
If your backend service uses different names for the XSRF token cookie
or header, use HttpClientXsrfModule.withOptions() to override the
defaults.
imports: [ HttpClientModule,
HttpClientXsrfModule.withOptions({
cookieName: 'My-Xsrf-Cookie',
headerName: 'My-Xsrf-Header'
}) ]
这应该是 withOptions 而不是 withConfig。即:像这样
HttpClientXsrfModule.withOptions({
cookieName: 'My-Xsrf-Cookie',
headerName: 'My-Xsrf-Header'
}),
我们目前正在使用 Slim-PHP REST 后端开发 Angular4 应用程序。现在我们要实现 XSRF 保护。 Angular2或Angular4没有官方教程,如何在客户端使用类、XSRFStrategy、CookieXSRFStrategy等? (我们在服务器端放置了一个 XSRF TOKEN cookie,并且 angular 不会发送 XSRF TOKEN-header-parameter。
我们在论坛中发现了很多话题,但是,都是个别情况...在“https://angular.io/guide/security”页面上也没有关于如何使用它的详细信息。还是我错过了什么?有人有提示吗?
谢谢!
您提供的 url 有一个 link 到 class HttpClient,您可以在其中找到以下文本:
Cross-Site Request Forgery (XSRF) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. HttpClient supports a common mechanism used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default XSRF-TOKEN, and sets it as an HTTP header, X-XSRF-TOKEN. Since only code that runs on your domain could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker.
这是可配置的:
If your backend service uses different names for the XSRF token cookie or header, use
HttpClientXsrfModule.withOptions()to override the defaults.imports: [ HttpClientModule, HttpClientXsrfModule.withOptions({ cookieName: 'My-Xsrf-Cookie', headerName: 'My-Xsrf-Header' }) ]
这应该是 withOptions 而不是 withConfig。即:像这样
HttpClientXsrfModule.withOptions({
cookieName: 'My-Xsrf-Cookie',
headerName: 'My-Xsrf-Header'
}),