{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Evening l夕情丶 的问题《CSRF defense using backbone and node.js》','https://www.manongdao.com/q-369569.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm creating a website using backbone and node.js and don't think that by default there is any protection against CSRF. Is there a standard way to project against CSRF when using backbone with node.js? Thanks
相关问题
- npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fs
- Backbone.js PushState routes .htaccess only workin
- google-drive can't get push notifications
- How to reimport module with ES6 import
- Multiple Django sites on the same domain - CSRF fa
相关文章
- node连接远程oracle报错
- How can make folder with Firebase Cloud Functions
- @angular-cli install fails with deprecated request
- node.js modify file data stream?
- How to resolve hostname to an ip address in node j
- Transactionally writing files in Node.js
- Log to node console or debug during webpack build
- Get all models in backbone collection where attrib
I don't know of anything specific for node.js + backbone, but you can use http://www.senchalabs.org/connect/middleware-csrf.html (assuming you're using express or something connect-compatible). You'll need to output the token somewhere in your html, like as a meta tag. Then you can modify the backbone sync method to pull that token and pass it to express via header, query, or form.
If the
Allow-Originheader is set to something permissive (e.g.,Allow-Origin:*)X-Requested-Bywill not prevent request forgeries. Any javascript running on another host will be able to craft requests that still enable request forgeries.You could simply ensure requests have the
X-Requested-Byheader with the valueXMLHTTPRequest. AJAX requests have cross-domain restrictions so if that header is present it was not e.g. a hidden form on a malicious website.