How to send secure AJAX requests with PHP and jQuery
1. Check the ORIGIN header
As specified by OWASP, this is not enough but recommended :
Although it is trivial to spoof any header from your own browser, it is generally impossible to do so in a CSRF attack, except via an XSS vulnerability. That's why checking headers is a reasonable first step in your CSRF defense, but since they aren't always present, its generally not considered a sufficient defense on its own.
And by Mozilla :
The Origin header is considered helpful against JSON data theft and CSRF attacks. The information provided by Origin--a bit of contextual request-creation information--should provide hints to web servers about trustworthiness of requests [...]
Checking the HTTP_ORIGIN
header could be written as :
header('Content-Type: application/json');
if (isset($_SERVER['HTTP_ORIGIN'])) {
$address = 'http://' . $_SERVER['SERVER_NAME'];
if (strpos($address, $_SERVER['HTTP_ORIGIN']) !== 0) {
exit(json_encode([
'error' => 'Invalid Origin header: ' . $_SERVER['HTTP_ORIGIN']
]));
}
} else {
exit(json_encode(['error' => 'No Origin header']));
}
1. (bis) Check the REFERER header
Again from OWASP :
If the Origin header is not present, verify the hostname in the Referer header matches the site's origin. Checking the referer is a commonly used method of preventing CSRF on embedded network devices because it does not require a per-user state.. This method of CSRF mitigation is also commonly used with unauthenticated requests [...]
Checking the HTTP_REFERER
is also quite simple in PHP with $_SERVER['HTTP_REFERER']
, you can just update the above code with it.
BE CAREFUL with the checking which always need to be really specific : do no check just example.com or api.example.com but the full https://example.com. Why ? Because you could spoof this check with an origin like api.example.com.hacker.com.
2. Generate CSRF tokens
A well-explained answer specific to PHP has been given there, in short :
-
Generate the token :
session_start(); if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); }
-
Add it in your generated views via a meta (like Github) :
<meta name="csrf-token" content="<?= $_SESSION['csrf_token'] ?>">
-
Setup jQuery ajax calls to include this token :
$.ajaxSetup({ headers : { 'CsrfToken': $('meta[name="csrf-token"]').attr('content') } });
-
Server-side check your AJAX requests :
session_start(); if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); } header('Content-Type: application/json'); $headers = apache_request_headers(); if (isset($headers['CsrfToken'])) { if ($headers['CsrfToken'] !== $_SESSION['csrf_token']) { exit(json_encode(['error' => 'Wrong CSRF token.'])); } } else { exit(json_encode(['error' => 'No CSRF token.'])); }
Most PHP frameworks have their own CSRF implementation, which more or less lay upon the same principle.
3. Sanitize validate user input.
You always must filter espace inputs and validate them.
4. Protect your server
- Limit the number of your requests.
- Use https as much as possible.
- Block bad queries.
- Protect POST requests.
5. Never trust user input
As @blue112 said, it is one of the most elementary security principles.
Short answer: you can't protect your client side.
Long answer:
- Using AJAX is just as safe as posting data with, for instance, a form.
- Using HTTPS prevents man-in-the-middle to see your user data, so the actual data sent by the user are safe.
You can't do anything to make the browser prove that it's actually your javascript code that runs on the client side. Then, the obvious action to take is the most simple one: NEVER TRUST USER INPUT.
This mean, as you started to do, securing your server side using session, rate limiting, data validation, fail2ban (banning a client ip after a certain number of fail), log monitoring...