Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apollo Server and CSRF protection. #1590

Closed
frederikhors opened this issue Aug 28, 2018 · 4 comments
Closed

Apollo Server and CSRF protection. #1590

frederikhors opened this issue Aug 28, 2018 · 4 comments

Comments

@frederikhors
Copy link

Guys,

I am really sad not seeing any results in these issues if I look for the word: "CSRF".

I read a lot around:

  1. https://github.com/pillarjs/understanding-csrf
  2. https://security.stackexchange.com/questions/10227/csrf-with-json-post
  3. https://stackoverflow.com/questions/11008469/are-json-web-services-vulnerable-to-csrf-attacks
  4. (Nothing on the ApolloServer site: https://www.apollographql.com/docs/apollo-server/)

However, I am not yet able to understand if our endpoint ("/graphql") is protected for this type of attack or if it is necessary to protect it with solutions like this: https://github.com/expressjs/csurf.

The thing that is not clear to me is that here: https://github.com/pillarjs/understanding-csrf they say:

When you're using CSRF tokens incorrectly:
...
Adding them to JSON AJAX calls
As noted above, if you do not support CORS and your APIs are strictly JSON, there is absolutely no point in adding CSRF tokens to your AJAX calls.

If we restrict our endpoint to just use Content-Type: application/json are we safe?
@demeralde
Copy link

Maybe this will help: https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints

@vroad
Copy link

vroad commented Jan 18, 2019

There was a vulnerability in Flash player that allowed bypassing CSRF protection with Content-Type: application/json.

https://security.stackexchange.com/questions/170477/csrf-with-json-post-when-content-type-must-be-application-json

According to the author it's fixed in all modern browsers, and only works on IE with File URI (but not with http/https).

@jordan-jarolim

This comment has been minimized.

Sign in to view
@abernix abernix added the 🚧👷‍♀️👷‍♂️🚧 in triage Issue currently being triaged label Jul 8, 2019
@abernix
Copy link
Member

abernix commented Jul 9, 2019

Apollo Server isn't unlike any other server in this regard, and as noted in the original body, barring any browser-based bugs (which, let's be honest, the underlying security model here leans on heavily, outside of Apollo Server), limiting usage to application/json is a great practice to enforce for any API where user-based session information is shared on the same domain (e.g. cookies, etc.).

Depending on exactly what server integration is (e.g. Hapi, Koa, etc) at play, along with what other middleware (besides Apollo) are in use, you should take precautions to ensure that you are not subjected to the risks of CSRF. Keep in mind that if you wish to only accept application/json, you should disable uploads using uploads: false, since graphql-upload requires accepting multipart/form-data to accommodate the uploads.

@abernix abernix closed this as completed Jul 9, 2019
@abernix abernix removed the 🚧👷‍♀️👷‍♂️🚧 in triage Issue currently being triaged label Jul 9, 2019
This was referenced Apr 27, 2021
Open
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vroad @abernix @demeralde @jordan-jarolim @frederikhors