CSRF - Cross Site Request Forgery
A CSRF allows an attacker to make victims to perform actions that they do not intend to perform.
- Cookie-based session handling.
- No unpredictable request parameters.
- Use the
SameSitecookie attribute to :
Strict: the browser will not include the cookie in any requests that originate from another site.
Lax: the browser will include the cookie in requests that originate from another site but only if two conditions are met : GET method and the request resulted from a top-level navigation by the user, such as clicking a link (not requests by JS).
- Use random CSRF Token.
<form method="POST" action="https://example.com/email"> <input type="hidden" name="email" value="email@example.com"> <input type="hidden" name="csrf" value="0KL98nyeTFWocYvP8q9RHGrIt9IYn1Q7"> </form> <script> document.forms.submit(); </script>