Cross-site request forgery: Difference between revisions

Line 14: Line 14:
To protect against CSRF, the website <code>shopping.com</code> should do the following:
To protect against CSRF, the website <code>shopping.com</code> should do the following:
# While the user is browsing <code>shopping.com</code>, it backend sets a CORS cookie using an HTTP header in a response.
# While the user is browsing <code>shopping.com</code>, it backend sets a CORS cookie using an HTTP header in a response.
#: <code>My-Xsrf-Cookie:UKL7smHAK4xENQj5pYbi</code>
#: <code>XSRF-TOKEN:UKL7smHAK4xENQj5pYbi</code>
#* This cookie will be different for each session.
#* This cookie will be different for each session.
# When making requests to checkout, the front-end will add the XSRF token to the HTTP request as a header or hidden form field.
# When making requests to checkout, the front-end will add the XSRF token to the HTTP request as a header or hidden form field.
#: <code>My-Xsrf-Header:UKL7smHAK4xENQj5pYbi</code>
#: <code>X-XSRF-TOKEN:UKL7smHAK4xENQj5pYbi</code>
# Before processing the order, the backend will check the XSRF header to make sure that it matches what was sent originally.
# Before processing the order, the backend will check the XSRF header to make sure that it matches what was sent originally.
#* I.e. it checks that the (XSRF header or hidden field) matches the (sent cookie or save session token).
#* I.e. it checks that the (XSRF header or hidden field) matches the (sent cookie or save session token).