CSRF protection is a must when using cookies. A very simple way to prevent CSRF attacks is to check the Origin header for non-GET requests.
13 Matching Annotations
- Mar 2025
-
lucia-auth.com lucia-auth.com
-
- Sep 2023
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
- Aug 2023
-
kit.svelte.dev kit.svelte.dev
-
```js // CSRF
/* @type {import('@sveltejs/kit').Config} / const config = { kit: { checkOrigin?: true, } }; export default config; ```
Tags
Annotators
URL
-
- Aug 2022
-
tech.meituan.com tech.meituan.com
-
攻击者诱导受害者进入第三方网站,在第三方网站中,向被攻击网站发送跨站请求。利用受害者在被攻击网站已经获取的注册凭证,绕过后台的用户验证,达到冒充用户对被攻击的网站执行某项操作的目的。
-
CSRF的名气似乎
Tags
Annotators
URL
-
- Jun 2021
-
disqus.com disqus.com
-
While rails does have nice CSRF protection, in my instance it limited me.
-
However, the cookie containing the CSRF-TOKEN is only used by the client to set the X-XSRF-TOKEN header. So passing a compromised CSRF-TOKEN cookie to the Rails app won't have any negative effect.
-
In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
-
On the security side I think code injection is still a danger. If someone does smuggle js into your js app they'll be able to read your CSRF cookie and make ajax requests using your logged-in http session, just like your own code does
-
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
-
Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!
-
-
- Nov 2018
-
zh.wikipedia.org zh.wikipedia.org
-
跟跨网站脚本(XSS)相比,XSS 利用的是用户对指定网站的信任,CSRF 利用的是网站对用户网页浏览器的信任。
XSS 是对客户端的攻击
CSRF 是对服务端的攻击
-