You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A less secure configuration would be to configure your backend server to allow CORS from all subdomains of your site using a regular expression. If an attacker is able to [take over a subdomain](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover) (not uncommon with cloud services) your CORS configuration would allow them to bypass the same origin policy and forge a request with your custom header.
165
165
166
+
#### Avoiding "Special" Request Qualities
167
+
168
+
Most CSRF mitigation techniques rely on the assumption that a request is "special" if it includes cookies, basic authentication credentials, or relies on network properties such as IP addresses. However, an alternative way to defend against CSRF is to avoid treating such request attributes as special in the first place.
169
+
170
+
This approach is most suitable for API-driven applications that primarily interact with clients via AJAX-based calls instead of traditional HTML `<form>` submissions.
171
+
172
+
##### How It Works
173
+
174
+
By ensuring that authentication credentials are always explicitly sent as part of the request, CSRF attacks are inherently prevented since a malicious website cannot generate a valid authenticated request without access to these credentials. Since browsers do not allow cross-site requests with custom headers without an explicit CORS preflight check, CSRF attacks are prevented.
175
+
176
+
For example, an API that authenticates users via:
177
+
178
+
- A custom HTTP header containing a token stored in `localStorage`
179
+
- A value included in the request body of a `POST` request
180
+
181
+
##### Drawbacks of This Approach
182
+
183
+
While effective in many API-driven scenarios, this approach has limitations:
184
+
185
+
1.**Not helpful if HTML `<form>`-based authentication**
186
+
If your application allows users to log in or make authenticated requests via HTML forms, this technique will not provide CSRF protection.
187
+
188
+
2.**Requires additional security controls**
189
+
If authentication tokens are stored in `localStorage`, they are vulnerable to **Cross-Site Scripting (XSS) attacks**, which could allow an attacker to steal authentication credentials.
190
+
According to this [document](JSON_Web_Token_for_Java_Cheat_Sheet.md#token-storage-on-client-side), you must use strict security controls:
191
+
192
+
- Tokens stored in _localStorage_ should have _short expiration times_ (e.g., _15-30 minutes idle timeout, 8-hour absolute timeout_).
193
+
- Implement mechanisms such as _token rotation_ and _refresh tokens_ to minimize risk.
194
+
- Each authentication token should be long (e.g., 32+ characters), random, and unique.
195
+
196
+
##### Implementing Custom Headers for CSRF Protection
197
+
198
+
One method is to enforce the presence of a _custom authentication token_ in the HTTP headers. If a evil site forces a user's browser to do a HTTP POST, then the custom authentification token won't be included and the request will fail.
199
+
200
+
###### **Example: Adding a Token to a Custom HTTP Header**
201
+
202
+
```http
203
+
X-CSRF-Token: 123456789abcdef...
204
+
```
205
+
166
206
## Dealing with Client-Side CSRF Attacks (IMPORTANT)
167
207
168
208
[Client-side CSRF](https://soheilkhodayari.github.io/same-site-wiki/docs/attacks/csrf.html#client-side-csrf) is a new variant of CSRF attacks where the attacker tricks the client-side JavaScript code to send a forged HTTP request to a vulnerable target site by manipulating the program’s input parameters. Client-side CSRF originates when the JavaScript program uses attacker-controlled inputs, such as the URL, for the generation of asynchronous HTTP requests.
@@ -330,46 +370,6 @@ Do NOT use CAPTCHA because it is specifically designed to protect against bots.
330
370
331
371
While these are very strong CSRF defenses, it can create a significant impact on the user experience. As such, they would generally only be used for security critical operations (such as password changes, money transfers, etc.), alongside the other defences discussed in this cheat sheet.
332
372
333
-
## Alternative Approach – Avoiding "Special" Request Qualities
334
-
335
-
Most CSRF mitigation techniques rely on the assumption that a request is "special" if it includes cookies, basic authentication credentials, or relies on network properties such as IP addresses. However, an alternative way to defend against CSRF is to avoid treating such request attributes as special in the first place.
336
-
337
-
This approach is most suitable for API-driven applications that primarily interact with clients via AJAX-based calls instead of traditional HTML `<form>` submissions.
338
-
339
-
### How It Works
340
-
341
-
By ensuring that authentication credentials are always explicitly sent as part of the request, CSRF attacks are inherently prevented since a malicious website cannot generate a valid authenticated request without access to these credentials. Since browsers do not allow cross-site requests with custom headers without an explicit CORS preflight check, CSRF attacks are prevented.
342
-
343
-
For example, an API that authenticates users via:
344
-
345
-
- A custom HTTP header containing a token stored in `localStorage`
346
-
- A value included in the request body of a `POST` request
347
-
348
-
### Drawbacks of This Approach
349
-
350
-
While effective in many API-driven scenarios, this approach has limitations:
351
-
352
-
1.**Not helpful if HTML `<form>`-based authentication**
353
-
If your application allows users to log in or make authenticated requests via HTML forms, this technique will not provide CSRF protection.
354
-
355
-
2.**Requires additional security controls**
356
-
If authentication tokens are stored in `localStorage`, they are vulnerable to **Cross-Site Scripting (XSS) attacks**, which could allow an attacker to steal authentication credentials.
357
-
According to this [document](JSON_Web_Token_for_Java_Cheat_Sheet.md#token-storage-on-client-side), you must use strict security controls:
358
-
359
-
- Tokens stored in _localStorage_ should have _short expiration times_ (e.g., _15-30 minutes idle timeout, 8-hour absolute timeout_).
360
-
- Implement mechanisms such as _token rotation_ and _refresh tokens_ to minimize risk.
361
-
- Each authentication token should be long (e.g., 32+ characters), random, and unique.
362
-
363
-
### Implementing Custom Headers for CSRF Protection
364
-
365
-
One method is to enforce the presence of a _custom authentication token_ in the HTTP headers. If a evil site forces a user's browser to do a HTTP POST, then the custom authentification token won't be included and the request will fail.
366
-
367
-
#### **Example: Adding a Token to a Custom HTTP Header**
368
-
369
-
```http
370
-
X-CSRF-Token: 123456789abcdef...
371
-
```
372
-
373
373
## Possible CSRF Vulnerabilities in Login Forms
374
374
375
375
Most developers tend to ignore CSRF vulnerabilities on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage, however this assumption is not always true. CSRF vulnerabilities can still occur on login forms where the user is not authenticated, but the impact and risk is different.
0 commit comments