[Article sharing] A lesson for developers to revise on CSRF attack protection

Here is the article: Defense Against the Dark Arts: CSRF Attacks
This is a good article which telling a humor story about how to protect web application from CSRF (Cross-site request forgery) attack.
I think it is 120% worth for web app developers to read for 溫固知新, no matter you are frontend or backend developer.

I suggest to read the whole story, but for those TL;DR , I can share the summary here:

 

  1. Introduced an authentication system to prevent attackers from impersonating users.
  2. Used cookies to do this in a way that does not require two HTTP roundtrips (with a loading spinner in between) to view pages with private information, like a page listing a user’s private messages.
  3. Defended against <img src="some-endpoint-here"> GET CSRF attacks by requiring that endpoints which make changes to things use HTTP verbs other than GET. (In this case, we used POST.)
  4. Defended against <form> POST CSRF attacks by checking that the Origin and/or Referer headers match hogwarts.edu (and rejecting the request if neither header is present).
  5. Added a second line of defense against future potential Origin and/or Referer vulnerabilities by requiring that the Content-Type header be set to application/json.

 

Dear developers, have a nice day~!