Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does HTTPS protect against CSRF attacks?

Tags:

security

asp.net

csrf

I'm writing a mostly ajax-driven web application and I'm looking at how to protect the user from CSRF attacks. I'm planning to run the pages of the application where the user is logged in to do his work in HTTPS mode.

Does running the page on HTTPS work to protect against CSRF attacks?

like image 555
frenchie Avatar asked Dec 03 '11 20:12

frenchie

People also ask

Does using SSL prevent CSRF attacks?

Moreover, using SSL does not prevent a CSRF attack, because the malicious site can send an "https://" request. Typically, CSRF attacks are possible against web sites that use cookies for authentication, because browsers send all relevant cookies to the destination web site.

What are CSRF attacks and how do they work?

Typically, CSRF attacks are possible against web sites that use cookies for authentication, because browsers send all relevant cookies to the destination web site. However, CSRF attacks are not limited to exploiting cookies. For example, Basic and Digest authentication are also vulnerable.

Should I trust that the site has measures in place to prevent CSRF?

Don’t trust that the site you're visiting has measures in place to prevent CSRF attacks. Many sites do have controls in place to protect against it, but it is not a good practice to assume this.

Does running a page on https protect it from CSRF?

No, running a page on HTTPS does not protect it from CSRF. The fact that the communications between the browser and server is encrypted has no bearing on CSRF.

2 Answers

No, running a page on HTTPS does not protect it from CSRF. The fact that the communications between the browser and server is encrypted has no bearing on CSRF.

I suggest reading the OWASP guidance on preventing CSRF.

like image 108
Oded Avatar answered Oct 19 '22 16:10

Oded

A general, golden rule woule be:

Never trust that the incoming client request is a legitimate one. Be always suspicious and assume that the request could be maliciously forged.

Few specific rules beyond the mentioned OWASP article:

  1. if your data needs authentication/authorization, avoid generic interfaces on the server, like the CRUD interface. easy to code, difficult to authorize specific requests coming from clients. instead, offer a SOA-style interface with explicit methods dedicated to specific use cases where you will have direct control over requests and their parameters.

    http://msdn.microsoft.com/en-us/library/ms954638.aspx

  2. even if the framework provides some control over the request validity (ASP.NET viewstate), check again if the user is authorized to pass the set of incoming parameters.

like image 32
Wiktor Zychla Avatar answered Oct 19 '22 16:10

Wiktor Zychla
Sign in to Comment

Related questions

Application_Start() gets called more than once
Blinking button on WPF application
Loop through Request object keys
Call RenderSection twice ...?
SignalR Secure Connection Between .NET Client and The Server
Any risk returning other user's Connection Id to the client?
Twitter bootstrap + asp.net masterpages, how to set navbar item as active when user selects it?
CKEditor getEditor() Error, How to fix it?
Wcf-The maximum message size quota for incoming messages (65536) has been exceeded?
TuesPechkin unable to load DLL 'wkhtmltox.dll'
ASP.NET Core giving me Code 500 on Forbid()
ASP Identity Core GeneratePasswordResetTokenAsync expired
What is the easiest way to convert from asp classic to asp.net?
ASP.NET UserControl Does Not Initialize Child Controls
How do I access properties from global.asax in some other page's code behind
WebResource Hell - resource cannot be found
Is it worth it to enable dynamic compression in IIS7?
Difference between Client Callbacks and Ajax Page Methods - ASP.NET
Handle "potentially dangerous Request.Form value..."
What is the best place for business logic in ASP.NET MVC when using repositories?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!