![]() As defined in RFC 7231#section-4.2.1, we consider the GET, HEAD and OPTIONS methods as secure methods. The csrf plugin is implemented based on the Double Submit Cookie scheme. Since the request carries some of the user's credentials, the attacker can get access to the user's information by parsing these credentials, thus creating a security risk.Īpache APISIX is a dynamic, real-time, high-performance API gateway.ĪPISIX provides rich traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more. It appears to the server that the request is exactly the same as the request normally sent by the user, unaware that it was initiated by the attacker without the user's knowledge. ![]() The page then loads normally and the request is automatically sent to the server. ![]() This page contains a request that is automatically sent to the target server. The general flow of the attack is that first the attacker will lure the user to navigate to a web page provided by the attacker. The key point of launching a cross-site request forgery attack is to make the target server unable to distinguish whether the source of many requests is a real user or an attacker. This article introduces csrf, the CSRF security plugin for Apache APISIX, and details how to secure your API information in Apache APISIX with the help of the csrf plugin. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |