OWASP Cross-Site Request Forgery (CSRF)
September 10th, 2022
Cross-Site Request Forgery (CSRF)
pattern: use anti-CSRF tokens for requests with side-effects
eg. password changes, address changes, purchases
pattern: SameSite cookie policy
Set-Cookie: SID=...; SameSite=strict
😞not zero-cost -> requires changes in session management approach
session "read" cookie: not same-site (GET requests)
session "write" cookie: same-site strict (state changing requests)
ref:Â Cross-Site Request Forgery Prevention - OWASP Cheat Sheet
Â
(src:
Â
This post was referenced in: