4 comments

[ 3.1 ms ] story [ 19.4 ms ] thread
Really enjoyed this talk. Good material and great presentation, thanks again!
what are effective ways to prevent CSRF in single-page apps?
I think the recommendation to use request tokens still stands[1].

I haven't really had the chance to dive into html5/client-side js apps yet -- but it should be possible to apply the same idea to single-page apps as well? Perhaps even easier, as you don't need a fall back to plain http/1.1 on the client side, as you can already assume the client is able to run javascript, and you could do a lot of stuff to manipululate/validate tokens there.

Having a good implementation (not having to roll your own) would be good, though. Judging by [2] you might have to implement it yourself. Although [3] and [4] looks promising for express.js at least.

I have not had time to review this -- so preform your own due diligence.

[1] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(...

[2] http://stackoverflow.com/questions/6617499/for-node-js-is-th...

[3] http://dailyjs.com/2012/09/13/express-3-csrf-tutorial/

[4] http://www.senchalabs.org/connect/csrf.html

Excellent talk. Really like how he talked about the overall architecture as well as implementation details