如何给被视作为静态资源的spa加上csrf保护?

最近我在使用react+react-router开发spa,后台使用的是yii2nignx设置的是当404就返回index.html。但是这样子有个问题是,我没有办法使用csrf的保护,这样子要怎么解决呢?

我看到了一个网站使用的技术栈和我的差不多,我看了它是在head标签上面写了一个含有token值的meta标签,而它的每一个请求都会将这个token作为header的值发回去。这样子要怎么做?要怎么将token值渲染到这个index.html里头?

ajax 提交的

$.ajax{
url: 你的url
type:依什么方式
dataType:数据类型
data :
headers:{X-CSRF-TOKEN: $meta[name="csrf-token"].attrcontent ? $meta[name="csrf-token"].attrcontent : },
beforeSend:functionmsg{
alert等待回调;
},
}

将输出部分放在header头里

<?php // +----------------------------------------------------------------------
// | CSRF安全验证类 @pushaowei
// +----------------------------------------------------------------------
// | [Usage]
// | // 后端
// | use libraryBaseNoCSRF;
// | session_start; // | if $this->getRequest->isPost {
// | // | try {
// | ##验证TOKEN // | NoCSRF::check csrf_token, $_POST, true, 60*10, false ; //60*10为10分钟null为不验证时间
// | $result = CSRF check passed. Form parsed.;
// | //$this->getRequest->getPostfield;
// | echo $result; // | } catch Exception $e {
// | echo $e->getMessage . Form ignored.; // | } // | } else { // | #生成TOKEN // | $token = NoCSRF::generate csrf_token ;
// | $this->getView->assigntoken, $token;
// | $this->getView->display页面;
// | }
// | // 前端
// | <meta name="csrf-token" content="<?php echo libraryBaseNoCSRF::generate csrf_token ;?>" />
// +---------------------------------------------------------------------- class NoCSRF
{ protected static $doOriginCheck = false; /** * Check CSRF tokens match between session and $origin. * Make sure you generated a token in the form before checking it. * * @param String $key The session and $origin key where to find the token. * @param Mixed $origin The object/associative array to retreive the token data from usually $_POST. * @param Boolean $throwException Facultative TRUE to throw exception on check fail, FALSE or default to return false. * @param Integer $timespan Facultative Makes the token expire after $timespan seconds. null = never * @param Boolean $multiple Facultative Makes the token reusable and not one-time. Useful for ajax-heavy requests. * * @return Boolean Returns FALSE if a CSRF attack is detected, TRUE otherwise. */ public static function check $key, $origin, $throwException=false, $timespan=null, $multiple=false { $session = Session::getInstance; if !$session->has csrf_ . $key if$throwException throw new Exception Missing CSRF session token. ; else return false; if !isset $origin[ $key ] if$throwException throw new Exception Missing CSRF form token. ; else return false; // Get valid token from session $hash = $session->getcsrf_ . $key; // Free up session token for one-time CSRF token usage. if!$multiple $session->forgetcsrf_ . $key; // Origin checks if self::$doOriginCheck && sha1 $_SERVER[REMOTE_ADDR] . $_SERVER[HTTP_USER_AGENT] != substr base64_decode $hash , 10, 40 { if$throwException throw new Exception Form origin does not match token origin. ; else return false; } // Check if session token matches form token if $origin[ $key ] != $hash if$throwException throw new Exception Invalid CSRF token. ; else return false; // Check for token expiration if $timespan != null && is_int $timespan && intval substr base64_decode $hash , 0, 10 + $timespan < time if$throwException throw new Exception CSRF token has expired. ; else return false; return true; } /** * Adds extra useragent and remote_addr checks to CSRF protections. */ public static function enableOriginCheck { self::$doOriginCheck = true; } /** * CSRF token generation method. After generating the token, put it inside a hidden form field named $key. * * @param String $key The session key where the token will be stored. Will also be the name of the hidden field name * @return String The generated, base64 encoded token. */ public static function generate $key { $session = Session::getInstance; $extra = self::$doOriginCheck ? sha1 $_SERVER[REMOTE_ADDR] . $_SERVER[HTTP_USER_AGENT] : ; // token generation basically base64_encode any random complex string, time is used for token expiration $token = base64_encode time . $extra . self::randomString 32 ; // store the one-time token in session $session->putcsrf_ . $key, $token; return $token; } /** * Generates a random string of given $length. * * @param Integer $length The string length. * @return String The randomly generated string. */ protected static function randomString $length { $seed = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijqlmnopqrtsuvwxyz0123456789; $max = strlen $seed - 1; $string = ; for $i = 0; $i < $length; ++$i $string .= $seed{intval mt_rand 0.0, $max }; return $string; } }
?>

发表评论

电子邮件地址不会被公开。 必填项已用*标注