-
Notifications
You must be signed in to change notification settings - Fork 90
js version versus nojs version
Js version (as the name suggests) requires browser to have js enabled for CSRF Protector to work. However we support nojs as well, for those who keep js disabled.
This is our master version, and it relies on Javascript to attach token with every POST request or specific GET requests allowed by GET rules in configuration. This works on per request token basis. This makes sure if somehow an attacker can extract the CSRF token from victim (say XSS vulnerability exists), attacker cannot use it to forge multiple requests. Because as soon as the token is used its consumed and a new one is generated. This version works perfectly well in multiple tabs (Normally rare with per request token).
======================= This version is based on static rewriting of static contents generated by web application. NOJS version also attaches javascript code to output generated by web application. So if client has JS enabled, it ensures tokens are attached with XHR requests or dynamic forms. If however JS is disabled, nothing to fear, static contents have already been secure by the library. However NOJS version is based on per session token. This means token remains same for each session. So use this if your application has good chances of being used in nojs mode.
PS: wiki still under development. Please create a Github issue for any correction.