18 lines
1.3 KiB
Text
18 lines
1.3 KiB
Text
|
|
=== CSRF Attacks
|
|
|
|
Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the
|
|
web site trusts or has authenticated with(e.g. via HTTP redirects or HTML forms). Any site that uses cookie based authentication is vulnerable to these types of attacks.
|
|
These attacks are mitigated by matching a state cookie against a posted form or query parameter.
|
|
|
|
The OAuth 2.0 login specification requires that a state cookie be used and matched against a transmitted state parameter.
|
|
{{book.project.name}} fully implements this part of the specification so all logins are protected.
|
|
|
|
The {{book.project.name}} Admin Console is a pure JavaScript/HTML5 application that makes REST calls to the backend {{book.project.name}} admin REST API.
|
|
These calls all require bearer token authentication and are made via JavaScript Ajax calls.
|
|
CSRF does not apply here.
|
|
The admin REST API can also be configured to validate the CORS origins as well.
|
|
|
|
The only part of {{book.project.name}} that really falls into CSRF is the user account management pages.
|
|
To mitigate this {{book.project.name}} sets a state cookie and also embeds the value of this state cookie within hidden form fields or query parameters in action links.
|
|
This query or form parameter is checked against the state cookie to verify that the call was made by the user.
|