Working with JSON — Schemas and CSRF

John Au-Yeung - Jan 25 '21 - - Dev Community

Check out my books on Amazon at https://www.amazon.com/John-Au-Yeung/e/B08FT5NT62

Subscribe to my email list now at http://jauyeung.net/subscribe/

JSON stands for JavaScript Object Notation.

It’s a popular data-interchange format that has many uses.

In this article, we’ll take a look at how to use JSON.

JSON Schemas

We can check the value of JSON schemas to check if our data types are correct.

Also, we can check if we have the required data.

And we check if the values are in the format that we require.

For example, if we have:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "Person",
    "properties": {
        "name": {
            "type": "string"
        },
        "age": {
            "type": "number",
            "description": "Your person's age in years."
        },
        "gender": {
            "type": "string"
        },
        "description": {
            "type": "string"
        }
    },
    "required": [
        "name",
        "age",
        "gender"
    ]
}
Enter fullscreen mode Exit fullscreen mode

then we have a Person schema that has the name with type string .

The age property has type number .

gender is of type string and description is also of type string .

Also, it has the required property that has an array of required properties.

For example, if we have:

{
    "name": "james",
    "age": 2,
    "gender": "male"
}
Enter fullscreen mode Exit fullscreen mode

then it conforms to the schema that we just created above.

We can add more validation to our schema.

We can set the minimum number allowed for age .

For example, we can write:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "Person",
    "properties": {
        "name": {
            "type": "string"
        },
        "age": {
            "type": "number",
            "description": "Your person's age in years.",
            "minimum": 0
        },
        "gender": {
            "type": "string"
        },
        "description": {
            "type": "string"
        }
    },
    "required": [
        "name",
        "age",
        "gender"
    ]
}
Enter fullscreen mode Exit fullscreen mode

to set the minimum allowed value for age .

Then if we want to validate an object against our schema, we can go to https://www.jsonschemavalidator.net/.

If we have anything that doesn’t conform to the schema we specified, we’ll see the errors.

We put the schema object on the left side and the JSON object we want to check against on the right side.

JSON Security

Since we’re using JSON to communicate between 2 or more parties, we’ll have to look at security.

Anything that communicates over a network will have security risks.

There are various kinds of attacks that we have to concerned about.

Cross-Site Request Forgery (CSRF)

One kind of attack that we have to worry about is the cross-site request forgery.

This where an attack goes to a site that is already authenticated by a legitimate user.

So the attacker can see the sensitive data that is in the site.

Attackers can gain access to sites that require authentication because cookies are included with requests, so they may be able to intercept them and use them to authenticate.

There’s no way to distinguish between legitimate requests and forged requests unless a CSRF token is used to distinguish between them.

Most web frameworks have protection for this attack built in to stop this attack.

Conclusion

We can validate JSON schemas against our JSON objects to validate our objects with it.

Also, we have to be careful about CSRF attacks to stop attackers from accessing sensitive data with forged requests.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .