keycloak-scim/server_admin/topics/threat/csrf.adoc


=== CSRF Attacks

Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the
web site trusts or has authenticated with(e.g. via HTTP redirects or HTML forms).  Any site that uses cookie based authentication is vulnerable to these types of attacks.
These attacks are mitigated by matching a state cookie against a posted form or query parameter.

The OAuth 2.0 login specification requires that a state cookie be used and matched against a transmitted state parameter.
{project_name} fully implements this part of the specification so all logins are protected.

The {project_name} Admin Console is a pure JavaScript/HTML5 application that makes REST calls to the backend {project_name} admin REST API.
These calls all require bearer token authentication and are made via JavaScript Ajax calls.
CSRF does not apply here.
The admin REST API can also be configured to validate the CORS origins as well.

The only part of {project_name} that really falls into CSRF is the user account management pages.
To mitigate this {project_name} sets a state cookie and also embeds the value of this state cookie within hidden form fields or query parameters in action links.
This query or form parameter is checked against the state cookie to verify that the call was made by the user.
threat 2016-05-31 22:00:59 +00:00
			`=== CSRF Attacks`

			`Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the`
Update topics/threat/csrf.adoc 2016-06-13 06:39:23 +00:00			`web site trusts or has authenticated with(e.g. via HTTP redirects or HTML forms). Any site that uses cookie based authentication is vulnerable to these types of attacks.`
threat 2016-05-31 22:00:59 +00:00			`These attacks are mitigated by matching a state cookie against a posted form or query parameter.`

Minor changes for threat model chapter. 2016-06-07 19:02:18 +00:00			`The OAuth 2.0 login specification requires that a state cookie be used and matched against a transmitted state parameter.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`{project_name} fully implements this part of the specification so all logins are protected.`
threat 2016-05-31 22:00:59 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`The {project_name} Admin Console is a pure JavaScript/HTML5 application that makes REST calls to the backend {project_name} admin REST API.`
Fixes for the typos found 2016-06-01 13:12:51 +00:00			`These calls all require bearer token authentication and are made via JavaScript Ajax calls.`
threat 2016-05-31 22:00:59 +00:00			`CSRF does not apply here.`
			`The admin REST API can also be configured to validate the CORS origins as well.`

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`The only part of {project_name} that really falls into CSRF is the user account management pages.`
			`To mitigate this {project_name} sets a state cookie and also embeds the value of this state cookie within hidden form fields or query parameters in action links.`
threat 2016-05-31 22:00:59 +00:00			`This query or form parameter is checked against the state cookie to verify that the call was made by the user.`