I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads).
Is a web service vulnerable to CSRF attack if the following are true?
Any POST
request without a top-level JSON object, e.g., {"foo":"bar"}
, will be rejected with a 400. For example, a POST
request with the content 42
would be thus rejected.
Any POST
request with a content-type other than application/json
will be rejected with a 400. For example, a POST
request with content-type application/x-www-form-urlencoded
would be thus rejected.
All GET requests will be Safe, and thus not modify any server-side data.
Clients are authenticated via a session cookie, which the web service gives them after they provide a correct username/password pair via a POST with JSON data, e.g. {"username":"user@example.com", "password":"my password"}
.
Ancillary question: Are PUT
and DELETE
requests ever vulnerable to CSRF? I ask because it seems that most (all?) browsers disallow these methods in HTML forms.
EDIT: Added item #4.
EDIT: Lots of good comments and answers so far, but no one has offered a specific CSRF attack to which this web service is vulnerable.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…