Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
118
votes
20 answers

"The page has expired due to inactivity" - Laravel 5.5

My register page is showing the form properly with CsrfToken ({{ csrf_field() }}) present in the form). Form HTML
{{ csrf_field() }} …
Sougata Bose
  • 31,517
  • 8
  • 49
  • 87
114
votes
3 answers

Turn off CSRF token in rails 3

I have a rails app that serves some APIs to an iPhone application. I want to be able to simply post on a resource without minding on get the correct CSRF token. I tried some methods that I see here in stackoverflow but it seems they no longer work…
Simone D'Amico
  • 2,335
  • 3
  • 17
  • 21
97
votes
11 answers

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object. This is the spring security config:
Hugo Robayo
  • 1,110
  • 1
  • 7
  • 7
97
votes
5 answers

Are JSON web services vulnerable to CSRF attacks?

I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads). Is a web service vulnerable to CSRF attack if the following are true? Any POST request without a top-level JSON object,…
djsmith
  • 3,007
  • 3
  • 24
  • 21
83
votes
10 answers

rails - "WARNING: Can't verify CSRF token authenticity" for json devise requests

How can I retrieve the CSRF token to pass with a JSON request? I know that for security reasons Rails is checking the CSRF token on all the request types (including JSON/XML). I could put in my controller skip_before_filter…
user1027503
81
votes
6 answers

How to prevent CSRF in a RESTful application?

Cross Site Request Forgery (CSRF) is typically prevent with one of the following methods: Check referer - RESTful but unreliable insert token into form and store the token in the server session - not really RESTful cryptic one time URIs - not…
deamon
  • 89,107
  • 111
  • 320
  • 448
79
votes
2 answers

React frontend and REST API, CSRF

Using React on the frontend with a RESTful API as backend and authorisation by a JSON Web Token (JWT), how do we handle sessions? For example after login, I get a JWT token from REST. If I save it to localStorage I am vulnerable to XSS, if I save it…
Itsmeromka
  • 3,621
  • 9
  • 46
  • 79
77
votes
11 answers

SameSite cookie in Java application

Do you know any Java cookie implementation which allows to set a custom flag for cookie, like SameSite=strict? It seems that javax.servlet.http.Cookie has a strictly limited set of flags which can be added.
Michal_Szulc
  • 4,097
  • 6
  • 32
  • 59
74
votes
6 answers

Does a proper CORS setup prevent CSRF attack?

If CORS is properly setup on a server to only allow a certain origins to access the server, Is this enough to prevent CSRF attacks?
programmerdave
  • 1,088
  • 1
  • 9
  • 17
72
votes
5 answers

Rails: How Does csrf_meta_tag Work?

I'm a PHP developer learning Ruby on Rails by reading Michael Hartl's tutorial. Here is a quote from the book, referring to csrf_meta_tag: ...the Rails method csrf_meta_tag [prevents] cross-site request forgery (CSRF), a type of malicious web…
Nick
  • 8,049
  • 18
  • 63
  • 107
71
votes
2 answers

CSRF protection with JSON Web Tokens

I read that when using JWT, there is no need to protect against CSRF attacks, for instance: "since you are not relying on cookies, you don't need to protect against cross site requests". However, something I do not understand: if I store the token…
JulienD
  • 7,102
  • 9
  • 50
  • 84
71
votes
4 answers

Angular against Asp.Net WebApi, implement CSRF on the server

I'm implementing a website in Angular.js, which is hitting an ASP.NET WebAPI backend. Angular.js has some in-built features to help with anti-csrf protection. On each http request, it will look for a cookie called "XSRF-TOKEN" and submit it as a…
dbruning
  • 5,042
  • 5
  • 34
  • 35
68
votes
3 answers

What is the reason to disable csrf in spring boot web application?

There are many tutorials where is shown how to disable csrf, csrf().disable() (and other possibilities like .properties, .yml, etc.) but nowhere explained why they do this? So my questions are: What is the real-life reason to disable it? Is it…
arminvanbuuren
  • 957
  • 1
  • 9
  • 16
65
votes
5 answers

Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins

Help Reason given for failure: Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins. In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not…
Erico Fahri
  • 651
  • 1
  • 3
  • 3
65
votes
2 answers

Passing csrftoken with python Requests

How do you pass a csrftoken with the python module Requests? This is what I have but it's not working, and I'm not sure which parameter to pass it into (data, headers, auth...) import requests from bs4 import BeautifulSoup URL =…
Jeff
  • 6,932
  • 7
  • 42
  • 72
1
2
3
99 100