{"id":3780,"date":"2025-06-28T12:51:59","date_gmt":"2025-06-28T04:51:59","guid":{"rendered":"https:\/\/www.laixuexila.com\/?p=3780"},"modified":"2025-06-28T13:19:16","modified_gmt":"2025-06-28T05:19:16","slug":"ajax-%e8%af%b7%e6%b1%82%e5%a6%82%e4%bd%95%e5%8a%a0%e4%b8%8a-csrf-%e9%98%b2%e6%8a%a4","status":"publish","type":"post","link":"https:\/\/www.laixuexila.com\/index.php\/2025\/06\/28\/ajax-%e8%af%b7%e6%b1%82%e5%a6%82%e4%bd%95%e5%8a%a0%e4%b8%8a-csrf-%e9%98%b2%e6%8a%a4\/","title":{"rendered":"Ajax \u8bf7\u6c42\u5982\u4f55\u52a0\u4e0a CSRF \u9632\u62a4"},"content":{"rendered":"\n<p>\u5728 <strong>Ajax \u8bf7\u6c42\u4e2d\u52a0\u4e0a CSRF \u9632\u62a4<\/strong> \u662f\u975e\u5e38\u91cd\u8981\u7684\uff0c\u7279\u522b\u662f\u5728\u73b0\u4ee3 Web \u5e94\u7528\uff08\u5982\u4f7f\u7528 jQuery\u3001Axios\u3001Fetch \u7684\u524d\u540e\u7aef\u5206\u79bb\u9879\u76ee\uff09\u4e2d\u3002\u4e0b\u9762\u662f\u4ece\u539f\u7406\u3001\u5b9e\u73b0\u65b9\u6cd5\u3001\u4ee3\u7801\u793a\u4f8b\u5230\u4e0d\u540c\u6846\u67b6\u4e0b\u7684\u7528\u6cd5\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e00\u3001CSRF Token \u5728 Ajax \u4e2d\u7684\u5904\u7406\u539f\u7406<\/h2>\n\n\n\n<p>\u5728\u4f20\u7edf\u8868\u5355\u4e2d\uff0cCSRF token \u662f\u901a\u8fc7\u9690\u85cf\u5b57\u6bb5\u63d0\u4ea4\u7684\u3002\u800c\u5728 Ajax \u4e2d\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u524d\u7aef<\/strong>\uff1a\u9700\u5c06 CSRF Token \u52a0\u5165\u8bf7\u6c42 header \u6216\u8bf7\u6c42 body\uff1b<\/li>\n\n\n\n<li><strong>\u540e\u7aef<\/strong>\uff1a\u9700\u4ece header \u6216 body \u4e2d\u63d0\u53d6\u5e76\u9a8c\u8bc1 token\uff1b<\/li>\n\n\n\n<li>\u901a\u5e38\u7531\u540e\u7aef\u6e32\u67d3\u9875\u9762\u65f6\u6ce8\u5165 token \u5230 HTML\uff0c\u518d\u7531 JavaScript \u8bfb\u53d6\u4f7f\u7528\u3002<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e8c\u3001\u5b9e\u73b0\u65b9\u5f0f\u6c47\u603b<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u65b9\u6cd5<\/th><th>\u8bf4\u660e<\/th><th>\u5b89\u5168\u6027<\/th><\/tr><\/thead><tbody><tr><td>\u81ea\u5b9a\u4e49 header\uff08\u63a8\u8350\uff09<\/td><td>\u5c06 token \u5199\u5165 Ajax \u8bf7\u6c42 header<\/td><td>\u2b50\u2b50\u2b50\u2b50\u2b50<\/td><\/tr><tr><td>\u8bf7\u6c42 body<\/td><td>\u9002\u7528\u4e8e POST \u8bf7\u6c42\u5e26 form-data\/json<\/td><td>\u2b50\u2b50\u2b50\u2b50<\/td><\/tr><tr><td>Cookie + header \u53cc token\uff08SPA\/REST\uff09<\/td><td>\u9632\u5fa1 CSRF + XSS<\/td><td>\u2b50\u2b50\u2b50\u2b50\u2b50<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e09\u3001CSRF Token \u5728\u9875\u9762\u4e2d\u7684\u6ce8\u5165\u65b9\u5f0f<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u65b9\u6cd5 1\uff1a\u540e\u7aef\u6e32\u67d3\u6ce8\u5165\u5230 meta \u6807\u7b7e<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;meta name=\"csrf-token\" content=\"&lt;?php echo $_SESSION&#91;'csrf_token']; ?&gt;\"&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u65b9\u6cd5 2\uff1a\u6ce8\u5165\u5230 JavaScript \u53d8\u91cf<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;script&gt;\n  window.csrfToken = \"&lt;?php echo $_SESSION&#91;'csrf_token']; ?&gt;\";\n&lt;\/script&gt;<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u56db\u3001jQuery \u793a\u4f8b\uff1a\u81ea\u52a8\u6dfb\u52a0 CSRF Token<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ \u83b7\u53d6 token\nconst token = document.querySelector('meta&#91;name=\"csrf-token\"]').getAttribute('content');\n\n\/\/ \u5168\u5c40\u8bbe\u7f6e Ajax \u8bf7\u6c42\u5934\n$.ajaxSetup({\n  headers: {\n    'X-CSRF-TOKEN': token\n  }\n});<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u4f60\u5c31\u53ef\u4ee5\u5b89\u5168\u53d1\u9001 POST \u8bf7\u6c42\u4e86\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$.post('\/api\/update-profile', {\n  name: 'John'\n}, function (response) {\n  console.log('\u54cd\u5e94\uff1a', response);\n});<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e94\u3001\u539f\u751f Fetch \u793a\u4f8b<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>const token = document.querySelector('meta&#91;name=\"csrf-token\"]').getAttribute('content');\n\nfetch('\/api\/update-profile', {\n  method: 'POST',\n  headers: {\n    'Content-Type': 'application\/json',\n    'X-CSRF-TOKEN': token\n  },\n  body: JSON.stringify({ name: 'Jane' })\n})\n.then(res =&gt; res.json())\n.then(data =&gt; console.log(data));<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u516d\u3001Axios \u793a\u4f8b\uff08\u63a8\u8350\u7528\u4e8e Vue\/React\uff09<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>import axios from 'axios';\n\naxios.defaults.headers.common&#91;'X-CSRF-TOKEN'] = document.querySelector('meta&#91;name=\"csrf-token\"]').getAttribute('content');\n\naxios.post('\/api\/update-profile', { name: 'Jane' })\n  .then(response =&gt; console.log(response.data));<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e03\u3001\u540e\u7aef PHP \u4e2d\u9a8c\u8bc1 Ajax \u8bf7\u6c42\u7684 CSRF Token<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>session_start();\n\n$csrf_token_header = $_SERVER&#91;'HTTP_X_CSRF_TOKEN'] ?? '';\n\nif (!hash_equals($_SESSION&#91;'csrf_token'], $csrf_token_header)) {\n    http_response_code(403);\n    echo json_encode(&#91;'error' =&gt; 'CSRF \u9a8c\u8bc1\u5931\u8d25']);\n    exit;\n}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u2705 \u6ce8\u610f\uff1a<code>X-CSRF-TOKEN<\/code> \u662f\u5e38\u7528\u81ea\u5b9a\u4e49 header \u540d\uff0c\u53ef\u81ea\u7531\u5b9a\u4e49\u4e3a\u5982 <code>X-XSRF-TOKEN<\/code>\u3002<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u516b\u3001\u5404\u4e3b\u6d41\u6846\u67b6\u7684 Ajax CSRF \u914d\u7f6e\u65b9\u5f0f<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd38 Laravel<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;!-- layout.blade.php --&gt;\n&lt;meta name=\"csrf-token\" content=\"{{ csrf_token() }}\"&gt;<\/code><\/pre>\n\n\n\n<p>JS\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>axios.defaults.headers.common&#91;'X-CSRF-TOKEN'] = document.querySelector('meta&#91;name=\"csrf-token\"]').getAttribute('content');<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Laravel \u4f1a\u81ea\u52a8\u9a8c\u8bc1 <code>X-CSRF-TOKEN<\/code> header \u6216 <code>_token<\/code> \u5b57\u6bb5\u3002<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd38 Symfony<\/h3>\n\n\n\n<p>\u4f7f\u7528 <code>CsrfTokenManager<\/code> \u751f\u6210\u4ee4\u724c\uff0c\u624b\u52a8\u9a8c\u8bc1\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$token = $request-&gt;headers-&gt;get('X-CSRF-TOKEN');\nif (!$csrfTokenManager-&gt;isTokenValid(new CsrfToken('action_id', $token))) {\n    throw new AccessDeniedHttpException('CSRF token invalid');\n}<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd38 Yii2<\/h3>\n\n\n\n<p>\u5f00\u542f CSRF\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>'request' =&gt; &#91;\n    'enableCsrfValidation' =&gt; true,\n    'csrfParam' =&gt; '_csrf',\n],<\/code><\/pre>\n\n\n\n<p>JS\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>let csrfToken = $('meta&#91;name=csrf-token]').attr(\"content\");\n$.ajaxSetup({\n    data: { _csrf: csrfToken }\n});<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcda \u6743\u5a01\u53c2\u8003\u8d44\u6599<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/owasp.org\/www-community\/attacks\/csrf\">OWASP CSRF \u5b98\u65b9\u6587\u6863<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/laravel.com\/docs\/csrf\">Laravel \u5b98\u65b9\u6587\u6863 &#8211; CSRF \u4fdd\u62a4<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/symfony.com\/doc\/current\/security\/csrf.html\">Symfony CSRF Protection<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/api.jquery.com\/jQuery.ajaxSetup\/\">jQuery ajaxSetup<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u5c0f\u7ed3\uff1aAjax \u9632 CSRF \u6700\u4f73\u5b9e\u8df5<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u6b65\u9aa4<\/th><th>\u63a8\u8350\u505a\u6cd5<\/th><\/tr><\/thead><tbody><tr><td>1\ufe0f\u20e3 \u9875\u9762\u6ce8\u5165 token<\/td><td>\u7528 meta \u6216 JS \u5168\u5c40\u53d8\u91cf<\/td><\/tr><tr><td>2\ufe0f\u20e3 \u524d\u7aef\u5e26\u4e0a token<\/td><td>\u4f7f\u7528 header <code>X-CSRF-TOKEN<\/code><\/td><\/tr><tr><td>3\ufe0f\u20e3 \u540e\u7aef\u9a8c\u8bc1 token<\/td><td>\u4e0e Session \u6216 Cookie \u4e2d token \u6bd4\u5bf9<\/td><\/tr><tr><td>4\ufe0f\u20e3 \u9a8c\u8bc1\u5931\u8d25\u5904\u7406<\/td><td>\u8fd4\u56de 403\uff0c\u8bb0\u5f55\u65e5\u5fd7<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>\u66f4\u591a\u8be6\u7ec6\u5185\u5bb9\uff0c\u8bf7\u5173\u6ce8\u5176\u4ed6\u76f8\u5173\u6587\u7ae0\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5728 Ajax \u8bf7\u6c42\u4e2d\u52a0\u4e0a CSRF \u9632\u62a4 \u662f\u975e\u5e38\u91cd\u8981\u7684\uff0c\u7279\u522b\u662f\u5728\u73b0\u4ee3 Web \u5e94\u7528\uff08\u5982\u4f7f\u7528 jQuery\u3001Ax [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3781,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[61],"tags":[],"class_list":["post-3780","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-php-"],"_links":{"self":[{"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/posts\/3780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/comments?post=3780"}],"version-history":[{"count":1,"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/posts\/3780\/revisions"}],"predecessor-version":[{"id":3782,"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/posts\/3780\/revisions\/3782"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/media\/3781"}],"wp:attachment":[{"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/media?parent=3780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/categories?post=3780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laixuexila.com\/index.php\/wp-json\/wp\/v2\/tags?post=3780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}