Apollo-server: Apollo Server and CSRF protection.
Guys,
I am really sad not seeing any results in these issues if I look for the word: "CSRF".
I read a lot around:
- https://github.com/pillarjs/understanding-csrf
- https://security.stackexchange.com/questions/10227/csrf-with-json-post
- https://stackoverflow.com/questions/11008469/are-json-web-services-vulnerable-to-csrf-attacks
- (Nothing on the ApolloServer site: https://www.apollographql.com/docs/apollo-server/)
However, I am not yet able to understand if our endpoint ("/graphql") is protected for this type of attack or if it is necessary to protect it with solutions like this: https://github.com/expressjs/csurf.
The thing that is not clear to me is that here: https://github.com/pillarjs/understanding-csrf they say:
When you're using CSRF tokens incorrectly:
...
Adding them to JSON AJAX calls
As noted above, if you do not support CORS and your APIs are strictly JSON, there is absolutely no point in adding CSRF tokens to your AJAX calls.
If we restrict our endpoint to just use Content-Type: application/json are we safe?
frederikhors
All 4 comments
Maybe this will help: https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints
dspacejs
on 20 Nov 2018
There was a vulnerability in Flash player that allowed bypassing CSRF protection with Content-Type: application/json.
According to the author it's fixed in all modern browsers, and only works on IE with File URI (but not with http/https).
vroad
on 18 Jan 2019
Sorry, my comment was offtopic.
jordan-jarolim
on 24 Apr 2019
Apollo Server isn't unlike any other server in this regard, and as noted in the original body, barring any browser-based bugs (which, let's be honest, the underlying security model here leans on heavily, outside of Apollo Server), limiting usage to application/json is a great practice to enforce for any API where user-based session information is shared on the same domain (e.g. cookies, etc.).
Depending on exactly what server integration is (e.g. Hapi, Koa, etc) at play, along with what other middleware (besides Apollo) are in use, you should take precautions to ensure that you are not subjected to the risks of CSRF. Keep in mind that if you wish to only accept application/json, you should disable uploads using uploads: false, since graphql-upload requires accepting multipart/form-data to accommodate the uploads.
abernix
on 9 Jul 2019
Related issues
deathg0d
路
3Comments
bchehraz
路
3Comments
danilobuerger
路
3Comments
manuelfink
路
3Comments
veeramarni
路
3Comments
Most helpful comment
Apollo Server isn't unlike any other server in this regard, and as noted in the original body, barring any browser-based bugs (which, let's be honest, the underlying security model here leans on heavily, outside of Apollo Server), limiting usage to
application/jsonis a great practice to enforce for any API where user-based session information is shared on the same domain (e.g. cookies, etc.).Depending on exactly what server integration is (e.g. Hapi, Koa, etc) at play, along with what other middleware (besides Apollo) are in use, you should take precautions to ensure that you are not subjected to the risks of CSRF. Keep in mind that if you wish to only accept
application/json, you should disable uploads usinguploads: false, sincegraphql-uploadrequires acceptingmultipart/form-datato accommodate the uploads.