All geek questions in one place

What response should be sent back a When cross-site request forgery (CSRF) is detected

What response should be sent back when a cross site request (CSRF) is detected?

There is a crawl tool that I cannot hold, saying that one of my pages is not protected from CSRF. But this. The answer that I am sending back is normal 202with the sentence “REQUEST CANNOT BE PROCESSED”. What is this, nothing informative has been sent to the attacker, and I am logging an attempt. But this software says that it is still susceptible CSRF. I could easily run the tests myself and figure it out, but it's a long time between scans and tests, and I can't get the same software, so I ask for stackoverflow, so I can, hopefully, knock it out of the next scheduled scan. I am going to send a status code 404or 410instead 202. http://www.cfgears.com/index.cfm/2009/8/11/cfheader-404-status-codes-and-why-you-shouldnt-use-them

What do you recommend sending back when detected CSRF?

+4
source share
2 answers

403 Forbidden, since the user has the right to access the site, this is simply a forbidden action (HTTP POST without the correct CSRF token).

The web server can return a 403 Forbidden HTTP status code in response to a client request for a web page or resource to indicate that the server can be reached and understood the request, but refuses to take any further action. The status code 403 of the responses is the result of the web server being configured to deny access to the requested resource by the client.

, , HTTP, CSRF , , , CSRF, - .

+5

:

401 403

+2

Source: https://habr.com/ru/post/1539315/

More articles:


All Articles