a cross site request forgery attack causes a visitor of a malicious website to send a request to a legit website to which he is already logged in including the session cookie.
Questions tagged [csrf]
664 questions
234
votes
7 answers
Should I use CSRF protection on Rest API endpoints?
Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints without discussing if it is actually necessary. …
Conor Mancone
- 29,899
- 13
- 91
- 96
109
votes
4 answers
Do I need CSRF token if I'm using Bearer JWT?
Context: Angular site is hosted on S3 behind CloudFront, separate from Express server that is used as API and almost all requests are XMLHttpRequests. All requests are sent without cookies (withCredentials = false by default) and I use JWT Bearer…
Igor Pomogai
- 1,193
- 2
- 8
- 7
107
votes
8 answers
Why refresh CSRF token per form request?
In many tutorials and guides I see that a CSRF token should be refreshed per request. My question is why do I have to do this? Isn't a single CSRF token per session much easier than generating one per request and keeping track of the ones…
Philipp Gayret
- 1,383
- 2
- 10
- 14
87
votes
2 answers
Should I use AntiForgeryToken in all forms, even login and registration?
I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I started migrating to MVC 3, I've been putting the AntiForgeryToken in a number of forms, that modify protected data etc.
Some other forms, like…
Artiom Chilaru
- 973
- 1
- 9
- 7
83
votes
7 answers
Does a CSRF cookie need to be HttpOnly?
We were recently handed a security report containing the following:
Cookie(s) without HttpOnly flag set
vulnerability, which we apparently had in one of our internal applications.
The applied fix was as simple as setting Django's…
alecxe
- 1,515
- 5
- 19
- 34
80
votes
5 answers
CSRF protection with custom headers (and without validating token)
For a REST-api it seems that it is sufficient to check the presence of a custom header to protect against CSRF attacks, e.g. client sends
"X-Requested-By: whatever"
and the server checks the presence of "X-Requested-By" and drops the request if the…
Mads Mobæk
- 903
- 1
- 7
- 7
60
votes
6 answers
Is CORS helping in anyway against Cross-Site Forgery?
I've been reading in the last couple of days about CORS and in a lot of places it's mentioned as it is a "Security" feature to help the world from cross domain forgery.
I still don't see the benefit and the reasoning for CORS. Ok, browsers will do…
Dan Dinu
- 709
- 1
- 6
- 5
56
votes
2 answers
Why is the Access-Control-Allow-Origin header necessary?
I understand the purpose of the Access-Control-Allow-Credentials header, but can't see what problem the Access-Control-Allow-Origin header solves.
More precisely, it's easy to see how, if cross-domain AJAX requests with credentials were permitted by…
Mark Amery
- 1,777
- 2
- 13
- 19
53
votes
1 answer
Is Django's built-in security enough?
I have learned that Django provides built-in protection against the three main types of web app attacks (SQL injection, XSS and CSRF), which is really awesome.
Yet I have spoken to a few Django developers and they have essentially told me not to…
pleasedesktop
- 633
- 1
- 6
- 6
52
votes
3 answers
For SameSite cookie with subdomains what are considered the same site?
For the samesite cookie attribute I'm not clear on if I set a cookie with domain .example.com from sub.example.com with the samesite attribute, if it will be considered the same site as other.example.com.
Cookie behavior is different than CORS and…
derduher
- 623
- 1
- 4
- 6
51
votes
5 answers
Should I use CSRF protection for GET requests?
I've seen several blanket statements on the web to the effect that you don't need CSRF protection for GET requests.
But many web applications have GET requests that return sensitive data, right? Then wouldn't you want to protect those against CSRF…
jtpereyda
- 1,430
- 2
- 16
- 26
50
votes
4 answers
OAuth2 Cross Site Request Forgery, and state parameter
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-30#section-10.12 says:
The client MUST implement CSRF protection [...] typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the…
Markus von Broady
- 686
- 1
- 6
- 14
46
votes
3 answers
Why don't browsers block cross-site POSTs by default?
Same-origin policy (SOP) makes browsers block scripting from one origin to mess with another, unless explicitly being told not to do so. But cross-site POSTs are still allowed, creating the vector for CSRF attacks. The defense is anti-forgery…
Andrada2
- 575
- 4
- 7
46
votes
2 answers
Will same-site cookies be sufficient protection against CSRF and XSS?
I must say, that I like this idea and it seems that it will bring a new form of protection against CSRF and XSS or at least it will reduce those attacks.
So, how effective will this protection be?
SameSite-cookies is a mechanism for defining how…
Mirsad
- 10,005
- 8
- 33
- 53
39
votes
1 answer
Difference between XSS and CSRF?
I know about cross-site scripting and cross-site request forgery. I want to know if there is any similarity between them?
codeur
- 581
- 2
- 6
- 12