Tjen's blog

OWASP Cross-Site Request Forgery (CSRF)

devops book.release-it appsec owasp

September 10th, 2022

Cross-Site Request Forgery (CSRF)

pattern: use anti-CSRF tokens for requests with side-effects

eg. password changes, address changes, purchases

pattern: SameSite cookie policy

Set-Cookie: SID=...; SameSite=strict

😞not zero-cost -> requires changes in session management approach
session "read" cookie: not same-site (GET requests)
session "write" cookie: same-site strict (state changing requests)

ref: Cross-Site Request Forgery Prevention - OWASP Cheat Sheet

(src:

This post was referenced in:

Model: OWASP top 10