Cross-site request forgery: Difference between revisions
Line 14: | Line 14: | ||
To protect against CSRF, the website <code>shopping.com</code> should do the following: | To protect against CSRF, the website <code>shopping.com</code> should do the following: | ||
# While the user is browsing <code>shopping.com</code>, it backend sets a CORS cookie using an HTTP header in a response. | # While the user is browsing <code>shopping.com</code>, it backend sets a CORS cookie using an HTTP header in a response. | ||
#: <code> | #: <code>XSRF-TOKEN:UKL7smHAK4xENQj5pYbi</code> | ||
#* This cookie will be different for each session. | #* This cookie will be different for each session. | ||
# When making requests to checkout, the front-end will add the XSRF token to the HTTP request as a header or hidden form field. | # When making requests to checkout, the front-end will add the XSRF token to the HTTP request as a header or hidden form field. | ||
#: <code> | #: <code>X-XSRF-TOKEN:UKL7smHAK4xENQj5pYbi</code> | ||
# Before processing the order, the backend will check the XSRF header to make sure that it matches what was sent originally. | # Before processing the order, the backend will check the XSRF header to make sure that it matches what was sent originally. | ||
#* I.e. it checks that the (XSRF header or hidden field) matches the (sent cookie or save session token). | #* I.e. it checks that the (XSRF header or hidden field) matches the (sent cookie or save session token). |