Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions

votes

2 answers

JWT and CSRF differences

I've been reading about JWT, and from what I understand, it's a token that the server sends after a user logs in. The user will have to send that token with all future HTTP requests. This creates a stateless way for the server to verify a user's…

jwt csrf http-token-authentication

asked Aug 29 '17 at 18:24

Caciano

votes

8 answers

Preventing CSRF with the same-site cookie attribute

I was surfing the web and found article Preventing CSRF with the same-site cookie attribute. As on link maintain We need to add Set-Cookie header. Set-Cookie: key=value; HttpOnly; SameSite=strict Now My Question is, I want to set this in my…

asp.net iis cookies csrf

asked Aug 15 '16 at 12:10

imlim

1,607
1
14
21

votes

4 answers

Disable CSRF validation for individual actions in Yii2

Is there a way to disable CSRF validation for some actions of the controller keeping it enabled for the other ones? In my case I have several configurable Action classes, that are intended to be injected into controllers. I can't pass csrf…

csrf yii2

asked Feb 15 '15 at 14:04

coderlex

votes

2 answers

WARNING: Can't verify CSRF token authenticity in case of API development

I am right now developing web APIs with Ruby on Rails. When the Rails app receives POST request without any csrf token, the following error message shall happen. Because the app has no views. WARNING: Can't verify CSRF token authenticity So my…

ruby ruby-on-rails-3 api token csrf

asked Feb 23 '13 at 13:18

diveintohacking

4,783
6
29
43

votes

7 answers

Could not verify the provided CSRF token because your session was not found in spring security

I am using spring security along with java config @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/*").hasRole("ADMIN") .and() .addFilterAfter(new…

java spring-security csrf spring-restcontroller

asked Jun 24 '16 at 00:44

Haseeb Wali

1,181
3
14
34

votes

4 answers

Why Same-origin policy isn't enough to prevent CSRF attacks?

First of all, I assume a backend that control inputs to prevent XSS vulnerabilities. In this answer @Les Hazlewood explain how to protect the JWT in the client side. Assuming 100% TLS for all communication - both during and at all times after…

cookies jwt cross-domain csrf same-origin-policy

asked Oct 21 '15 at 13:54

gabrielgiussi

9,245
7
41
71

votes

8 answers

Laravel 5: Handle exceptions when request wants JSON

I'm doing file uploads via AJAX on Laravel 5. I've got pretty much everything working except one thing. When I try to upload a file that is too big (Bigger than upload_max_filesize and post_max_size I get a TokenMismatchException thrown. This is to…

php ajax exception laravel csrf

asked Mar 09 '15 at 14:12

Jonathon

15,873
11
73
92

votes

2 answers

How to exempt CSRF Protection on direct_to_template

I have a flow in my django application in which I redirect the user to another service (e.g. PayPal) which after some its own processing, returns the user back on my own server. The returning point on my server is a simple HTML success page which I…

django csrf

asked Jul 23 '12 at 10:00

sharjeel

5,825
7
34
49

votes

5 answers

How to render CSRF input in twig?

I know there's the usual way to render CSRF token hidden input with form_rest, but is there a way to render just CSRF input itself? I've overridden {% block field_widget %} in theme to render a piece of additional text. But as CSRF token is rendered…

php symfony csrf twig

asked Sep 19 '11 at 19:45

Ondrej Slinták

31,386
20
94
126

votes

6 answers

How do I solve an AntiForgeryToken exception that occurs after an iisreset in my ASP.Net MVC app?

I’m having problems with the AntiForgeryToken in ASP.Net MVC. If I do an iisreset on my web server and a user continues with their session they get bounced to a login page. Not terrible but then the AntiForgery token blows up and the only way to…

.net asp.net asp.net-mvc csrf

asked Feb 05 '10 at 10:45

Colin Newell

3,073
1
22
36

votes

10 answers

Rails, Devise authentication, CSRF issue

I'm doing a singe-page application using Rails. When signing in and out Devise controllers are invoked using ajax. The problem I'm getting is that when I 1) sign in 2) sign out then signing in again doesn't work. I think it's related to CSRF token…

ruby-on-rails ajax authentication devise csrf

asked Aug 07 '12 at 12:00

vrepsys

2,143
4
25
37

votes

4 answers

How do you solve the error KeyError: 'A secret key is required to use CSRF.' when using a wtform in flask application?

I have been trying to build a web app using flask and wtforms and a firebase database, but I keep getting the error message "KeyError: 'A secret key is required to use CSRF.'" and I don't know how to solve it. here is my code: from flask import…

python firebase-realtime-database csrf flask-wtforms

asked Dec 07 '17 at 03:51

versailles78

votes

3 answers

How can I embed django csrf token straight into HTML?

within my django app I am storing strings of html in the db that will then be displayed on the users' home pages as "messages". Some of these messages contain forms, but not being written in the template language, I am not able to insert the csrf…

django csrf django-csrf

asked Jul 20 '10 at 12:27

ergelo

votes

13 answers

How to include the CSRF token in the headers in Dropzone upload request?

I am working on a single page application and I am using Laravel 5 for the web service. All forms are submitted asynchronously and I use a beforeSend on them to attach the CSRF token which I take from the meta tag like so: $.ajax({ url:…

javascript laravel-5 csrf dropzone.js

asked May 10 '15 at 07:54

Rohan

13,308
21
81
154

votes

6 answers

Is CSRF Protection necessary on a sign-up form?

Rails automatically adds CSRF protection to all forms by default by adding an authentication_token to all forms generated by the site. I'd really like my site to have a simple sign up form on the front page of the site, which of course would be a…

jquery ruby-on-rails csrf

asked Mar 24 '13 at 18:43

John H

2,488
1
21
35

Prev 1 2 3

…

99 100 Next