Is CSRF possible on API?
In other words, the client must actually post through an approved path, i.e. view the form page, fill it out, submit the data. An API pretty much precludes CSRF, because its entire purpose is generally to allow 3rd-party entities to access and manipulate data on your site (the “cross-site” in CSRF).
Do we need CSRF in REST API?
XHR (Ajax) requests where they go through CORS and pre-flight checks, it is true that CSRF tokens are less important. However, simple POST requests do not go through pre-flight or CORS and therefore the CSRF token is still the only protection against CSRF.
Is it possible to CSRF a REST API endpoint?
Rest API endpoints have a very important difference from other requests: they are specifically stateless, and should never accept/use data from either a cookie or session. If that is how you define “REST API”, then no CSRF is possible.
When to use CSRF protection for GET requests?
Generally, POST requests should be used for changing the state of something. If you have GET requests set up so that they can change the state (e.g. www.example.com/settings?delete_account=True), then you should use CSRF protection as a Band-Aid fix. Try to use POSTs to change the state, not GETs.
How does CSRF attack apply to API’s in Python?
The simple scenario is that you visit foo.com and the website executes Javascript to make an AJAX-based DELETE request to api.com/users/123 and ends up deleting the user on your behalf. Now this isn’t always possible because of CORS — browsers will prevent foo.com from making a request to api.com unless api.com explicitly whitelists foo.com.
Can a CSRF attack execute but not see the results?
As a CSRF attack can execute commands but can’t see their results, it is forced to act blindly. For example, a CSRF attack can tell your browser to request your bank account balance, but it can’t see that balance.