Menu
If CORS is properly setup on a server to only allow a certain origins to access the server,
Is this enough to prevent CSRF attacks?
381
There are also several misconceptions about how CORS is related to various types of cyber attacks. To clear things up, CORS by itself does not prevent or protect against any cyber attack. It does not stop cross-site scripting (XSS) attacks.
Discussion on: Understanding CORSYou should protect against CSRF on any inputs that can change state imo. If no one from another origin is able to make requests to your site (CORS disabled), then CSRF is redundant imo.
The most effective method of protecting against CSRF is by using anti-CSRF tokens. The developer should add such tokens to all forms that allow users to perform any state-changing operations. When an operation is submitted, the web application should then check for the presence of the correct token.
Some web sites defend against CSRF attacks using SameSite cookies. The SameSite attribute can be used to control whether and how cookies are submitted in cross-site requests.
Some of the up-voted answers already here are stating that the Same Origin Policy prevents cross-site requests, and therefore prevents CSRF. This is not the case. All the SOP does is prevent the response from being read by another domain (aka origin). This is irrelevant to whether a "classic" CSRF attack is successful or not.
The only time the SOP comes into play with CSRF is to prevent any token from being read by a different domain. All CORS does is relax the SOP when it is active. It does not increase security, it simply allows some exceptions to take place.
We'll describe how traditional CORS policies aren't sufficient defense against cross-site request forgery (CSRF) attacks, and unveil a new Node module that layers CSRF protection on top of such policies, cors-gate.
The only time the SOP comes into play with "classic" CSRF is to prevent any token from being read by a different domain. Of course, now we have CORS and all sorts of cross-domain requests are possible such as PUT and DELETE, CORS does in fact protect against these by requiring a pre-flight.
No!
CORS enables sharing between two domains where XSRF is attacking method that does not depend on CORS in anyway.
I don't understand what you mean by "CORS is properly setup" but when attacking with XSRF, browser don't ask for CORS headers on server.
CORS is not security :)
44
To be more specific, it is easy to make the mistake of thinking that if evil.example cannot make a request to good.example due to CORS then CSRF is prevented. There are two problems being overlooked, however:
CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.example make a request to good.example. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.
Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.example that POSTs back to good.example will still work despite CORS.
For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.
120
No.
The Same Origin Policy (which CORS allows you to punch selective holes through) prevents third party sites from masquerading as a user in order to read (private) data from another site.
A Cross Site Request Forgery attack is when a third party site masquerades as a user to submit data to another site (as that user). It doesn't need to read the response back.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
