Difference between revisions of "Cross-Site-Request Forgery (CSRF)"
Jump to navigation
Jump to search
Line 10: | Line 10: | ||
= Prevention = | = Prevention = | ||
=== Synchronizer Token Pattern (STP) === | === Synchronizer Token Pattern (STP) === | ||
This pattern includes a token, secret and a unique value in each request which is then validated by the server. | This pattern includes a token, secret and a unique value in each request which is then validated by the server. | ||
=== Cookie === | === Cookie === |
Revision as of 17:01, 28 December 2020
Cross-Site-Request Forgery
Victims are executing actions unwillingly on Webapplications they are authenticated to. Some of those actions are
- changing password
- changing email-addresse
- changing user-role
- create account
- transfer money
Prevention
Synchronizer Token Pattern (STP)
This pattern includes a token, secret and a unique value in each request which is then validated by the server.
Cookie
Set the "SameSite" attribute to "Strict" to stripe it off all cross-origin requests.
Custom HTTP-Header
Custom-Header can only be added by JavaScript and only within its origin.