1

SOP (same origin policy) provides some security for the users against some attacks, but it is not very strict as it still allows you to send GET and POST requests from a different origin that APIs by default process and send a response. This leaves some room for CSRF attacks.

We are building an API with a sole responsibility to serve our own SPA (Single Page Application, like Angular, React, etc...). There are some easy techniques to defend against CSRF, but I came up with a much simpler one and would like to hear some opinions whether it makes sense.

I am proposing to implement API side validation, to check whether the origin is whitelisted and if not, ignore the request completely. Are there any drawbacks for such a solution?

eddyP23
  • 239
  • 2
  • 11
  • Does SPA mean Single Page App? I had to look that up, so I figure someone else may also not have known what it meant. – Daisetsu Nov 09 '18 at 17:52
  • Fair point, will update the description – eddyP23 Nov 12 '18 at 07:25
  • How will you "check the origin"? Do you mean the HTTP "Origin" header? Or will you check "Origin" and "Referer"? Then what you are asking seems a duplicate of the question I linked. – sleske Nov 12 '18 at 10:05
  • Yes, I do mean checking `Origin` header. The linked question answers most of my question, but the remaining unclear bit is whether checking `Origin` header against my own whitelisted domains is not enough? – eddyP23 Nov 12 '18 at 11:13

0 Answers0