Should my Cross-site request forgery TOKEN be viewable on my web page source code I am running a rails app in production and can see Cross-site request forgery token. I guess it should NOT be viewable.
Asked
Active
Viewed 2,410 times
1 Answers
1
As long as the token is sufficiently random and unique per user session, it is perfectly fine if it is seen in the page code. CSRF attack assumes that the malicious code is running from a different origin, and has no access to the user's page. See more details in the OWASP Article.
bereal
- 32,519
- 6
- 58
- 104
-
i agree with you. but attacker can steal if CORS miscongirutation is there. any way to not store there? – Vis May 30 '17 at 05:03
-
@Vis if there's a CORS misconfiguration, you have much worse problems than just CSRF. – bereal May 30 '17 at 06:12