csrf and XSS attacks in react/redux applications

2
votes

In my application, I ask client to create a token for himself first and use that token in each request for accessing the resources on server. But that does not prevent csrf attack.

so what is the best way to prevent CSRF and XSS attacks in react, redux applications?

2
javascriptreactjsreduxxsscsrf

2 Answers

3
votes

XSS and CSRF as sooo different things that I believe you should not mix them in single question.

XSS is about displaying user input without any sanitizing on your side/in your html. And that user input may contain javascript that steals cookie or sends private message etc on current user behalf. Obviously to prevent that you need to sanitize or escape everything comes from user. But React does that for you until you are so risky that use dangerouslySetInnerHTML

As for CSRF it's up to backend in first place to handle it somehow(see another SO question for details). React here just may handle token to make secured request work. But it depends on backend implmenention.

-1
votes

One option is to use csurf library to create xsrf tokens for every request.

secondly : If you are posting only json data over http using authentication token and not using cookies then CSRF is not possible.