-
-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The implementation probably defeats the purpose of CSRF protection #49
Comments
Couldn't you set 'sameSite' as 'Strict' on the cookie, meaning the cookie would not be attached? |
@sha256 you are right. As an additional security layer, if the user provides a secret, the token is HMAC signed, but only If a secret is provided. The changes you suggest align with the latest OWASP CSRF cheatsheet recommendation. I was following something closer to Understanding CSRF, but for v1, I'm moving entirely to OWASP's. Thanks for taking the time to submit the issue, and apologies for the late reply. |
In the server side, if you read the CSRF token value from cookie and do the validation, I don't think it protects you from CSRF attacks.
Let's say, on attacker's website, they have a form like this.
When this form is submitted, the browser will send the actual cookies of
yoursite.com
(including the CSRF related cookies) with the request. The server will always consider it valid because it's sending the previously set CSRF (valid) cookie.I recommend the following changes:
<form>
can send it as hidden input. Ajax requests can send it in the header.HttpOnly
should be optional. This way client can access it using JS and add it to the headers of Ajax requests.The text was updated successfully, but these errors were encountered: