OWASP Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) pattern: use anti-CSRF tokens for requests with side-effects

• eg. password changes, address changes, purchases

pattern: SameSite cookie policy

Set-Cookie: SID=...; SameSite=strict

• 😞not zero-cost -> requires changes in session management approach
• session “read” cookie: not same-site (GET requests)
• session “write” cookie: same-site strict (state changing requests)

ref: Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series

(src:

• Model: OWASP top 10
• Book: release it! - Michael Nygard)

Backlinks

• Model: OWASP top 10