David's Wiki

Cross-site request forgery: Difference between revisions

Page Discussion

Cross-site request forgery (view source)

Revision as of 03:51, 16 August 2020

2 bytes added ,  16 August 2020
→‎Defense
Line 32: Line 32:
This it is important for the backend to check the XSRF key against one that other websites cannot read.
This it is important for the backend to check the XSRF key against one that other websites cannot read.


If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field.
If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field.
However, you need to make sure no CORS header is sent otherwise other websites will be able to read the XSRF token sent in the hidden form field.
However, you need to make sure no CORS header is sent otherwise other websites will be able to read the XSRF token sent in the hidden form field.
E.g.
E.g.
Retrieved from "https://wiki.davidl.me/view/Special:MobileDiff/4140"