By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CSRF token with static website on S3 bucket

0

Hi there, I'm trying to move my private static website to be hosted on S3 bucket. I have a solution fully works without the usage of the website hosting feature of S3. Actually, I have an ALB that forwards the traffic to my S3 bucket via private endpoints. All fine up until here. The next challenge is integrating CSRF tokens into the workflow. Basically, I would like to generate a CRSF token when the first call gets in and then validate it on every next request. Since the CSRF token is managed on the server side, in the current scenario with the S3 bucket I have no server which can take care of that. So, the idea would be of using a Lambda function that intercepts the initial call (on a specific path for example), generates the CSRF token, and pass it back to the HTTP call. Any idea how I could implement the lambda function for such a scenario?

Thank you

Topics
ServerlessStorageCompute
Tags
ServerlessAmazon Simple Storage ServiceAWS LambdaWebsite Hosting
Language
English
profile picture
Escape82
asked a year ago1054 views
2 Answers
0

It might be a good idea to put CloudFront Distribution in front of your ALB.

This has the advantage that can arrange caching of static files for you.

It also give you flexibility in adding more Origins on specific paths this could well be a Lambda.

CloudFront with Lambda origin

You can create your CSRF token in the lambda.

Validation of the token is usually only done when HTTP-posting something.

profile picture
JaccoPK
answered a year ago
  • Escape82
    a year ago

    Hi there, CloudFront will force me to go via the Internet at least for the authentication. Actually, I would like to keep the entire workflow private.

  • JaccoPK
    a year ago

    Ah, didn't understand that requirement yet.

    Then I'd go for a very simple thingy in between maybe even a lambda with url.

    Otherwise a simple ec2 instance or ecs container with some intelligent proxy.

0

Hi there, The solution I found consists on getting rid of CSRF record at all. In particular, instead of using cookies we opted for using local storage on the client side. In particular, the idea is to:

  1. Remove the CSRF token part
  2. Update the authentication code to make no longer use of Cookies but replace it with local storage on the client side (https://stackoverflow.com/questions/35291573/csrf-protection-with-json-web-tokens)
    • This requires “small” changes on the application side (back-end and front-end actually).
  3. Enable CORS on the S3 bucket

On top of that, using OIDC or moving the authentication to the ALB, we can totally get rid of the backend and host the website fully on an S3 bucket. ;)

profile picture
Escape82
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content