Hi Telerik,
We did the security scanning for our website using Acunetix Security Scanner. We received summary that related to Kendo UI.
4. Absence of Anti-CSRF Tokens
[Low]
Trigger by : Kendo All min.js , and those
MVC form which do know have @Html.AntiForgeryToken()
Solution : For
kendo,don’t have yet.
For MVC form
which do not used form submit feature, change <form> to <div> html
tag.
For MVC form
which used form submit , add @Html.AntiForgeryToken(), MVC controller will auto received and validate
this token when form being submit.
I was wondering if you could give me some advice about this.
1 Answer, 1 is accepted
Hello Afandi,
security at the application level (in the discussed case, communication client/server) is determined by the way different parts of the application are organized and used together. Having that said, using the @Html.AntiForgeryToken() in an ASP.NET MVC application is a proper approach to apply additional security level to that part of the app.
Concerning the Kendo UI scenario in question, I suppose you are referring to some king of client-side JavaScript application. Depending on the technology involved in the server implementation, you may approach the scenario in question in different ways. Here is general advice on the bove, as well as a specific example for Node.js applications:
https://stackoverflow.com/questions/3664044/anti-csrf-token-and-javascript
https://blog.insiderattack.net/developing-secure-node-js-applications-a-broad-guide-286afdec69ce
Regards,
Veselin Tsvetanov
Progress Telerik