Tuesday, 30 January 2018

Protecting public JSON/REST endpoint. Can’t use CSRF. Recaptcha alone enough?

Is my endpoint protected from csrf attacks because of json/application content type?I have an SPA with a contact form that I’m looking to make as safe and spam free as possible. CSRF isn’t possible because the page which features the contact form is cached (and the CSRF cookies are unable to be properly generated per request). Because of this I must use REST.Right now, the REST contact endpoint has no CORS since I am always calling from same origin in my app. I am using recaptcha to serve as “single use” token auth.What more can be done to secure this endpoint to the fullest extent?

Submitted January 30, 2018 at 12:58PM by MyyHealthyRewards

No comments:

Post a Comment