---
title: CSRF防护与双重提交Cookie-Origin-Token协同最佳实践
keywords:
- CSRF
- SameSite
- Double Submit Cookie
- Origin
- Referer
- Token
- Header
- 表单
- Fetch
- 认证
description: 通过SameSite属性、Origin/Referer校验与双重提交Cookie+令牌组合,构建可验证的CSRF防护方案,附令牌签发与校验中间件及验收清单。
categories:
- 文章资讯
- 编程技术
---
一、基线与目标
- 基线:
SameSite=Lax/Strict优先;跨站场景采用令牌与头校验;拒绝不可信来源。 - 目标:双重提交Cookie与请求头一致性、Origin/Referer校验、表单与Fetch统一策略。
二、令牌签发
import crypto from 'crypto'
type Res = { setHeader: (k: string, v: string) => void }
function issueCsrf(): string { return crypto.randomBytes(16).toString('hex') }
function setCsrfCookie(res: Res, token: string) {
const header = `__Host-csrf=${token}; Path=/; SameSite=Strict; Secure`
res.setHeader('Set-Cookie', header)
}
三、Origin/Referer校验
function validOrigin(req: { headers: Record<string, string | undefined> }, allow: Set<string>): boolean {
const o = req.headers['origin'] || ''
return allow.has(o)
}
function validReferer(req: { headers: Record<string, string | undefined> }, allow: Set<string>): boolean {
const r = req.headers['referer'] || ''
try { const u = new URL(r); return allow.has(u.origin) } catch { return false }
}
四、双重提交校验
type Req = { headers: Record<string, string | undefined>; cookies: Record<string, string | undefined> }
type Resp = { status: (n: number) => Resp; end: (b?: string) => void }
function validateDoubleSubmit(req: Req): boolean {
const ct = req.headers['x-csrf-token'] || ''
const ck = req.cookies['__Host-csrf'] || ''
return ct.length === 32 && ct === ck
}
function csrfGuard(req: Req, res: Resp, allow: Set<string>) {
const okOrigin = validOrigin(req, allow) || validReferer(req, allow)
if (!okOrigin) return res.status(403).end('invalid_origin')
if (!validateDoubleSubmit(req)) return res.status(403).end('invalid_csrf')
}
五、验收清单
SameSite默认Strict或Lax;跨站场景必须令牌校验与来源校验。- 令牌长度与一致性通过;
Origin/Referer在白名单内;对不可信来源拒绝。 - 表单与Fetch统一携带
X-CSRF-Token与Cookie;审计包含失败原因与来源。
发表评论 取消回复