Menu
I already seen some question from here (stackoverflow) and THIS post, but I still have some questions...
Using hidden value in the post form and check it when post reach the server.
Setting a cookie when you reach the form and send the cookie value as a hidden value.
Using 'timeout', the POST values cannot reach too late.
I want to be protected about CSRF...but how exactly I do it?
572
The most effective method of protecting against CSRF is by using anti-CSRF tokens. The developer should add such tokens to all forms that allow users to perform any state-changing operations. When an operation is submitted, the web application should then check for the presence of the correct token.
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
You can further protect your web application by using a web application firewall (WAF) to detect and block CSRF and other common application attacks automatically such as the vulnerabilities in the OWASP Top 10.
The easiest way I found to prevent CSRF issues is:
On the server side, assign an HttpOnly cookie to the client with a random (unguessable) token
Place a hidden field on the form with that cookie value
Upon form submit, ensure the hidden field value equals the cookie value (on the server side of things)
200
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
