Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
32
votes
3 answers

Having a POST'able API and Django's CSRF Middleware

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403. I…
T. Stone
  • 19,209
  • 15
  • 69
  • 97
31
votes
1 answer

anti-CSRF token and Javascript

I'm trying to protect an application (php and lots of JS) from CSRF. I want to use tokens. A lot of operations are done with AJAX, so I have to pass the token in Javascript. If I want to generate 1 token per session or per page load it's simple - I…
Leonti
  • 10,400
  • 11
  • 43
  • 68
31
votes
19 answers

codeigniter CSRF error: "The action you have requested is not allowed."

I enabled the csrf_protection option in codeigniter's config file, and used form_open() function to create my forms. But when I submit the form, this error occurs: The action you have requested is not allowed. I have done the answers like this…
Mojtaba
  • 786
  • 1
  • 9
  • 18
31
votes
2 answers

Example of silently submitting a POST FORM (CSRF)

I'm interested in knowing how it is possible to silently submit a POST form for CSRF, without the user having any notice (the document location being redirected to the POSTed URL is not silent). Example:
apscience
  • 7,033
  • 11
  • 55
  • 89
30
votes
2 answers

CSRF protection: do we have to generate a token for every form?

Do we have to generate a token, for every form in a website? I mean, every-time to generate different token for every requested form? If not, why?
Centurion
  • 14,106
  • 31
  • 105
  • 197
30
votes
3 answers

Jquery and Django CSRF Token

I have 2 html Pages. A Parent Page and a Child Page. The Child Page Contains a Submit Button that runs code on the Parent Page to submit an Ajax message. I load the child page using $.load() method and then when the button is clicked it runs a…
TheMonkeyMan
  • 8,622
  • 8
  • 27
  • 42
30
votes
6 answers

Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

I'm working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something like this: if(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) ==…
Greg
  • 7,782
  • 7
  • 43
  • 69
29
votes
11 answers

Laravel X-CSRF-Token mismatch with POSTMAN

I try to talk to my REST API built with Laravel. But the call with POSTMAN is rejected due to a token mismatch. I guess I need to include the CSRF token in the header. But do I need the encrypted one? When I insert this token I still get the error…
sesc360
  • 3,155
  • 10
  • 44
  • 86
29
votes
7 answers

Laravel 5 CSRF global token hidden field for all forms in a page

I recently migrated to Laravel 5, and now CSRF check is on every post submission. I thought about removing it but I want to follow the best practices, so I'll keep it that way. On the other hand, I'm problems submitting ajax requests.. my page has…
sigmaxf
  • 7,998
  • 15
  • 65
  • 125
28
votes
10 answers

Same-Site flag for session cookie in Spring Security

Is it possible to set Same-site Cookie flag in Spring Security? And if not, is it on a roadmap to add support, please? There is already support in some browsers (i.e. Chrome).
Tomáš Hála
  • 291
  • 1
  • 3
  • 4
28
votes
3 answers

How does Angular handle XSS or CSRF?

How does Angular (2) handle XSS and CSRF. Does it even handle these attacks? If so, what do I have to do to use this protection? If not, do I have to handle all these attacks in my server, or somehow with TypeScript in the frontend? I have read…
TheHeroOfTime
  • 751
  • 4
  • 9
  • 23
27
votes
3 answers

Next.js Authentication Strategies

I've been trying to implement a reliable authentication flow for a Next.js project but I'm completely lost now. I've already seen the examples repo of Next.js. But I have a lot of questions for a complete solution. I have a express.js API and a…
Onur Önder
  • 1,002
  • 1
  • 10
  • 16
27
votes
1 answer

When the use of a AntiForgeryToken is not required /needed?

UPD: Same question asked on security.stackexchange.com and the answer I got is different. Please follow there, to get the correct answer! I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I…
Artiom Chilaru
  • 11,811
  • 4
  • 41
  • 52
27
votes
2 answers

Why can't a malicious site obtain a CSRF token via GET before attacking?

If I understand correctly, in a CSRF attack a malicious website A tells my browser to send a request to site B. My browser will automatically include my B cookies in that request. Although A cannot see those cookies, if I'm already authenticated in…
thelastone
  • 475
  • 4
  • 11
27
votes
1 answer

What are some viable techniques for combining CSRF protection with RESTful APIs?

I'm interested in hearing what approaches people have taken when building a RESTful (or quasi-RESTful) API for their web applications. A practical example: Say you have a traditional browser-based web application which uses CSRF protection on all…
Darryl H. Thomas
  • 1,021
  • 9
  • 13
1 2 3
99 100