Cross-Site-Request Forgery (CSRF)
Jump to navigation
Jump to search
Cross-Site-Request Forgery
Victims are executing actions unwillingly on Webapplications they are authenticated to. Some of those actions are
- changing password
- changing email-addresse
- changing user-role
- create account
- transfer money
Prevention
Synchronizer Token Pattern (STP)
This pattern includes a token, secret and a unique value in each request which is then validated by the server.
Cookie
Set the "SameSite" attribute to "Strict" to stripe it off all cross-origin requests.
Custom HTTP-Header
Custom-Header can only be added by JavaScript and only within its origin.