Difference between revisions of "Cross-Site-Request Forgery (CSRF)"
Jump to navigation
Jump to search
(Removed redirect to Basic:Cross-Site-Request-Forgery) Tag: Removed redirect |
|||
| Line 1: | Line 1: | ||
[[Category:Basic]] | [[Category:Basic]] | ||
= Cross-Site-Request Forgery = | |||
Victims are executing actions unwillingly on Webapplications they are authenticated to. Some of those actions are | Victims are executing actions unwillingly on Webapplications they are authenticated to. Some of those actions are | ||
* changing password | * changing password | ||
| Line 7: | Line 8: | ||
* create account | * create account | ||
* transfer money | * transfer money | ||
= Prevention = | |||
=== Synchronizer Token Pattern (STP) ===+ | |||
This pattern includes a token, secret and a unique value in each request which is then validated by the server. | |||
=== Cookie === | |||
Set the "SameSite" attribute to "Strict" to stripe it off all cross-origin requests. | |||
=== Custom HTTP-Header === | |||
Custom-Header can only be added by JavaScript and only within its origin. | |||
Revision as of 17:00, 28 December 2020
Cross-Site-Request Forgery
Victims are executing actions unwillingly on Webapplications they are authenticated to. Some of those actions are
- changing password
- changing email-addresse
- changing user-role
- create account
- transfer money
Prevention
=== Synchronizer Token Pattern (STP) ===+ This pattern includes a token, secret and a unique value in each request which is then validated by the server.
Cookie
Set the "SameSite" attribute to "Strict" to stripe it off all cross-origin requests.
Custom HTTP-Header
Custom-Header can only be added by JavaScript and only within its origin.