Building Data Science Applications with FastAPI - Second Edition by François Voron

Author:François Voron [François Voron]
Language: eng
Format: epub
ISBN: 9781837632749
Publisher: Packt Publishing
Published: 2023-07-31T00:00:00+00:00

This is safe for two reasons:

An attacker targeting a third-party website can’t read the cookies for a domain they don’t own. Thus, they have no way of retrieving the CSRF token value.

Adding a custom header is against the conditions of “simple requests.” Hence, the browser will have to make a preflight request before sending the request, enforcing the CORS policy.

This is a widely used pattern that works well to prevent such risks. This is why we installed starlette-csrf at the beginning of this section: it provides a piece of middleware for implementing it.

We can use it just like any other middleware, as shown in the following example:

app.py

app.add_middleware( CSRFMiddleware, secret=CSRF_TOKEN_SECRET, sensitive_cookies={TOKEN_COOKIE_NAME}, cookie_domain="localhost", )

https://github.com/PacktPublishing/Building-Data-Science-Applications-with-FastAPI-Second-Edition/tree/main/chapter07/csrf/app.py

We set several important arguments here. First, we have the secret, which should be a strong passphrase that’s used to sign the CSRF token. Then, we have sensitive_cookies, which is a set of cookie names that should trigger the CSRF protection. If no cookie is present or if the provided ones are not critical, we can bypass the CSRF check. It’s also useful if you have other authentication methods available that don’t rely on cookies, such as Authorization headers, which are not vulnerable to CSRF. Finally, setting a cookie domain will allow you to retrieve the cookie containing the CSRF token, even if you are on a different subdomain; this is necessary in a cross-origin situation.

That’s all you need to have the necessary protection ready. To ease the process of getting a fresh CSRF token, we implemented a minimal GET endpoint called /csrf. Its sole purpose is to provide us with a simple way to set the CSRF token cookie. We can call it directly when we load our frontend application.

Now, let’s try it out in our situation. As we did in the previous section, we’ll run the FastAPI application and the simple HTML application on two different ports. To do this, just run the following commands:

(venv) $ uvicorn chapter07.csrf.app:app

This will run the FastAPI application on port 8000. Now, run the following command:

(venv) $ python -m http.server --directory chapter07/csrf 9000

The frontend application is now live on http://localhost:9000. Open it in your browser. You should see an interface similar to the following:

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.