- Shoutouts, News, announcements
- CSRF with Angular and SpringBoot
- Networking
- Jobs, Projects?
- Meetups, Events, Trainings?
- News?
Note:
- last meetup for this year
- Videos from Angular Connect online shortly
https://wingsuitist.github.io/angular-basel-meetup/index.html
Wanted topics:
- good examples / real live apps
- Redux, ngrx/store
- MEAN Stack
- ngUpgrade
- Lazy Loading / Routing
- RxJS
- Serverless AWS Lamda/Firebase
- ... AOT, Translations
- How to integrate other libraries into Angular
Cross-Site Request Forgery (aka XSRF)
- HTTP is stateless
- preserve session with cookie
- cookie can not be read from script from other domain
- but cookie is submitted for any request going to it's domain, no matter who initiated request
- user is logged into site A and site B (e.g. in different tabs)
- site B sends a request to the backend of site A
- cookie from site A gets sent along
- user is considered authenticated
- prove, that request was actually made from site A
- send along cookie value as header parameter as well
- only possible for scripts of site A
- if header and cookie don't match -> reject at backend
- builds on Same-origin policy
- enabled per default when security is enabled
- sets Cookie with name X-XSRF-TOKEN on every request
- updates token on each request
Note: changing token on each request adds some more security, but not much
if there is a cookie X-XSRF-TOKEN, it's value is attached as a header X-XSRF-Token
- SpringBoot makes Token HTTP-Only per default
- custom header interceptor
- Video: Cross Site Request Funkery Securing Your Angular Apps From Evil Doers | Dave Smith
- Article: Angular2 and Spring — fighting CSRF in the wild.
- Demo based on: A Guide to CSRF
<iframe src="https://giphy.com/embed/26ufbjVtvdCaikoP6" width="900" height="600" frameBorder="0" class="giphy-embed" allowFullScreen></iframe>