Comments (7)
steebchen
commented on June 8, 2024
4
I'm not sure if that's true for what @robojones suggests.
If your API just accepts POST requests, it looks like checking for the origin header seems to be sufficient in 2020 onward; assuming you use it in combination with SameSite=Strict cookies.
Also see:
I'm not saying CSRF is not useful anymore, I just think that SameSite=Strict plus checking the origin header is probably sufficient for most people, and doesn't need any storage on the server.
from csrf.
robojones
commented on June 8, 2024
2
why is using SameSite=Strict cookies a requirement? Isn't reading the Origin header enough?
SameSite=Strict on cookies just provides an additional layer of security.
I did look into this and checking the Origin header should be sufficient to prevent CSRF.
Doesn't that mean the
Originheader is sent for all cross-domain POSTs over HTTPS? As for GET and HEAD, as long as you ensure those methods don't mutate state, you should be fine to skip the origin check, right?
Yup
from csrf.
philipjscott
commented on June 8, 2024
1
@steebchen why is using SameSite=Strict cookies a requirement? Isn't reading the Origin header enough?
@elithrar regarding:
which may not be present in all cases, and certainly not for a cross-domain POST over HTTPS
According to https://fetch.spec.whatwg.org/#cors-request,
A CORS request is an HTTP request that includes an
Originheader. It cannot be reliably identified as participating in the CORS protocol as theOriginheader is also included for all requests whose method is neitherGETnorHEAD.
Doesn't that mean the Origin header is sent for all cross-domain POSTs over HTTPS? As for GET and HEAD, as long as you ensure those methods don't mutate state, you should be fine to skip the origin check, right?
from csrf.
elithrar
commented on June 8, 2024
Please take a look at
https://owasp.org/www-community/attacks/csrf and
https://portswigger.net/web-security/csrf
Validating the Origin / Referer headers - which may not be present in all
cases, and certainly not for a cross-domain POST over HTTPS - does not
protect you from CSRF attacks.
from csrf.
stale
commented on June 8, 2024
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.
from csrf.
robojones
commented on June 8, 2024
Thanks for clarifying that @elithrar 👍
from csrf.
stale
commented on June 8, 2024
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.
from csrf.
Related Issues (20)
- [question] X-Csrf-Token is empty in Response headers (Secure is off) HOT 10
- [question] How to use gorilla/csrf for CSRF protection when authenticating with OpenID Connect? HOT 4
- Default path can cause unexpected CSRF token rejections HOT 4
- [bug] Change default request header onto custom HOT 3
- csrf.go: ErrBadReferer due to empty r.URL.Host HOT 1
- [bug] Not providing token results in wrong error HOT 1
- [question] How do I set csrf token from React HOT 1
- Multiple _gorilla_csrf cookies create an issue HOT 2
- [bug] README.md does not mention the need to keep the CSRF key secret HOT 1
- user disabled/blocked cookies on their browser.
- [docs] HOT 1
- Cannot get basic version of in-browser Javascript application documentation working HOT 8
- Package is not `go get`able [bug] HOT 2
- CSRF middlware is not usable with go gin HOT 1
- [bug] Generate CSRF tokens for skipped requests
- Forbidden - CSRF token invalid
- [BUG] Middleware doesn't work with Chi HOT 1
- First request to protected endpoint fails, CSRF header is empty
- [Question] How to log HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csrf.