All geek questions in one place

Is a security risk allowing the CSRF token to be sent in the body OR header?

Most CSRF solutions seem to insist that the CSRF token is sent as part of the POST data.

In my situation, the data sent is json, and I do not control what is sent (and I do not want to start messing with json). So, I'm going to send the CSRF token as a header. However, there are old parts of my application that still need to be able to send a token in the body (for example, they are sent from html forms).

So my CSRF protection would have to allow the request if a valid CSRF token appeared in the body or header. Is this a security risk compared to claiming the token is in the body?

+4
source share
2 answers

CSRF reports on unwanted user data on the server, on which the attacker believes that the user is logged on.

The idea of ​​protection is that the server associates the token with your session and sends it to you as a cookie and as a requirement for the payload. Then, by sending something, you send the token in the payload and as a cookie. Therefore, an attacker cannot guess which token is in a cookie or session. If the server receives a message with two different tokens, it will be rejected.

I think it would be nice to put the payload token in the header, as it is not a “Cookie” or any other header that is “remembered” and sent automatically by the browser.

+2

CSRF . , , , . , - , , , .

+1

Source: https://habr.com/ru/post/1544858/

More articles:


All Articles