Slides and video from Spike Brehm's tech talk: Building Single-Page Apps (opens in new tab)

(nerds.airbnb.com)

36 pointsfrontendbeauty13y ago4 comments

4 comments

4 comments · 3 top-level

mycodebreaks13y ago· 1 in thread

what are effective ways to prevent CSRF in single-page apps?

e12e13y ago

I think the recommendation to use request tokens still stands[1].

I haven't really had the chance to dive into html5/client-side js apps yet -- but it should be possible to apply the same idea to single-page apps as well? Perhaps even easier, as you don't need a fall back to plain http/1.1 on the client side, as you can already assume the client is able to run javascript, and you could do a lot of stuff to manipululate/validate tokens there.

Having a good implementation (not having to roll your own) would be good, though. Judging by [2] you might have to implement it yourself. Although [3] and [4] looks promising for express.js at least.

I have not had time to review this -- so preform your own due diligence.

[1] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(...

[2] http://stackoverflow.com/questions/6617499/for-node-js-is-th...

[3] http://dailyjs.com/2012/09/13/express-3-csrf-tutorial/

[4] http://www.senchalabs.org/connect/csrf.html

serialpreneur13y ago

Excellent talk. Really like how he talked about the overall architecture as well as implementation details

jbredeche13y ago

Really enjoyed this talk. Good material and great presentation, thanks again!

j / k navigate · click thread line to collapse