plumber icon indicating copy to clipboard operation
plumber copied to clipboard

Published 20 hours ago verified publisher icon rstudio

CSRF & Cookies

Open tchakravarty opened this issue 7 years ago • 3 comments

Hi @trestletech,

We are experimenting with developing an API using plumber and we now need to secure the API, but the sections on CSRF and cookies in the manual are sparse. Any plans to update those sections?

Specifically, is there concrete guidance on how to prevent CSRF with plumber?

Thanks.

tchakravarty avatar Oct 10 '17 16:10 tchakravarty

I wrote up most of the Cookies security section last night: https://www.rplumber.io/docs/security.html#security-cookies

Note that some of the features documented there and in https://www.rplumber.io/docs/rendering-and-output.html#setting-cookies only exist in the dev version of plumber (devtools::install_github("trestletech/plumber").

I have not documented XSRF, but honestly Plumber doesn't introduce any new requirements/quirks regarding cookie management or XSRF that any other API doesn't have. So you'd probably be fine reading other resources to get your head around XSRF and then reasoning through whether or not your API needs to be concerned or protect itself.

Eventually I'd like to put together an example that has all the "best practices" here for a Plumber API that uses cookies for authentication with a JS front-end. But no ETA on that.

trestletech avatar Nov 04 '17 14:11 trestletech

@trestletech ,

Thanks for this! Quick comment -- can't the preventing XSRF section also be subsumed in the cookies section by basically requiring a "password" variable in the header of the request that needs to match the password stored in the (secure) cookie? An XSRF request would have the cookie, but not the password?

Thanks,

T

tchakravarty avatar Nov 04 '17 18:11 tchakravarty

Yeah, that sounds about like the normal XSRF mediation. Where the "password" is just a random string.

trestletech avatar Nov 06 '17 14:11 trestletech