All geek questions in one place

CSRF Prevention?

I already saw some question from here (stackoverflow) and IT , but I still have some questions ...

  • Using a hidden value in the form of a message and check it when the message reaches the server.

    • The hidden value can be easily copied and sent in the same way as the real one, “hard to guess” (for example, md5) will not help. (Right?)

  • Setting a cookie on reaching the form and sending the cookie value as a hidden value.

    • You can easily change the cookie value or send a custom cookie in the same way as a real one, using the same real hidden value. (Right?)

  • Using a timeout, POST values ​​cannot appear too late.

    • So, if you are slow, you will fail when you try to set everything with a hidden value. If you are fast, it will work. (Right?)

I want to be protected from CSRF ... but how exactly do I do it?

+6
source share
2 answers

The easiest way I found to prevent problems with CSRF:

  1. On the server side, assign the client a HttpOnly cookie with a random (not guessable) token

  2. Put a hidden field in the form with this cookie value.

  3. After submitting the form, make sure that the value of the hidden field is equal to the cookie value (on the server side)

+7
source

If you make the following changes, I think you're safe

  • no data updates should be allowed via GET (or better POST) (since both can be used via HTML forms)
  • disable CORS on your server (or at least on endpoints that are critical and / or make changes to the data).
  • allow using only JSON-API (i.e. accept input only through JSON at critical endpoints)

Just add above: do not use method overrides and do not support older browsers.

-1
source

Source: https://habr.com/ru/post/905007/

More articles:


All Articles