Menu
Checking the referer is a commonly used method of preventing CSRF on embedded network devices because it does not require a per-user state. This makes a referer a useful method of CSRF prevention when memory is scarce.
To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.
The Origin header in a HTTP request indicates where the request originated from. This can be useful in preventing cross-site request forgery.
The referer header can in some circumstances be used as an effective protection against CSRF. However, with the introduction of referrer policy the attacker can determine whether or not this header is sent with the request, and CSRF protection mechanisms need to handle an empty referer header by blocking it.
I read about how to protect my web site from CSRF attacks in an ASP.NET MVC web application. They mentioned two ways to do so, either by:
using Token Verification by using <@Html.AntiForgeryToken()> and [ValidateAntiforgeryToken]
using HTTP referrer validation such as:
public class IsPostedFromThisSiteAttribute : AuthorizeAttribute
{
public override void OnAuthorize(AuthorizationContext filterContext)
{
if (filterContext.HttpContext != null)
{
if (filterContext.HttpContext.Request.UrlReferrer == null)
throw new System.Web.HttpException("Invalid submission");
if (filterContext.HttpContext.Request.UrlReferrer.Host !=
"mysite.com")
throw new System.Web.HttpException
("This form wasn't submitted from this site!");
}
}
}
and
[IsPostedFromThisSite]
public ActionResult Register(…)
So I got confused about whether I should use both of them to protect my web site from CSRF attacks or whether I can select one of these methods?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With