nqthqn
15 properties of living structures
About
An Ode to Paper
Authorization
Basics with Blender
Beguiling Bigrams
Builder Pattern
Content Security Policy
Convergent & Divergent Thinking
Cross-Site Request Forgery Prevention
Custom Elements or Web Components
Design Philosophy
Early Exposure
Flummoxing Feedback
Fonts with Obsidian Publish
HMAC
I use Helix
journey to image hooks
Kleene star notation
Knowledge Garden Planning
learn together
Marvel at the multiplex
Morphosyntax
other people say
Phantom Type
Pruning your Knowledge Garden
Résumé
Rotoscoping
SaaS Products
SHA-1
Simpler Obsidian
Trailhead
unknown unknowns
Web Security
Wordy
XSS
nqthqn

Cross-Site Request Forgery Prevention

Notes for OWASP Cross-Site Request Forgery Prevention

  • The key take-away — don’t let a monster near your cookies; they will tempt the server with them!
  • Same Origin Policy is enforced client-side. Exceptions can be made if a server response with headers Access-Control-Allow-Origin: * comes back that allows cross-origin requests to a resource.
  • Prevent against forged request with a securely generated random Anti-CSRF token
    • A session bound value that changes with each login session
    • A server-side value stored in an environment variable used to generate HMAC hash
Links to this page
Web Security
Cross-Site Request Forgery Prevention
Interactive graph
Powered by Obsidian Publish