Trusted answers to developer questions
Trusted Answers to Developer Questions

Related Tags

csrf
attack

How to mitigate CSRF attacks

Educative Team

Overview

Cross-site request forgery (CSRF) is a web security issue that allows an attacker to take advantage of a website user’s authorized session to perform harmful actions that the user did not want to perform. We can read in detail regarding the CSRF here.

We have multiple mitigation techniques for the CSRF attacks, as shown below.

Techniques

Note: The adoption of mitigation techniques depend on different situations.

Token-based mitigation

Each user has just one valid token for each request. When a user logs in and creates a session token, we create a random token, which must be included in each user’s request. When the request is sent to the server, the server checks to see if the token matches, and if it does, the data will go. Otherwise, it will not.

Verifying the origin headers

If the request is not generated from the same domain as the website, we can decline the request. If the origin header is missing, we check the referer header.

Checking referer header

We can simply reject the request if the hostname in the referer header is not the same as a domain name.

SameSite cookies

The SameSite is the attribute of the Set-Cookie. This property is used to determine whether or not to deliver cookies with cross-site requests. This attribute can take the following values: Strict, Lax, or None.

Double submit cookie

Sending a random value in both a cookie and a request parameter is known as double submitting cookies, and the server checks to see if the cookie and request values are equal.

OWASP CSRF guard

It is a good tool for Java applications. We can integrate it with the application to protect the application.

RELATED TAGS

csrf
attack
Copyright ©2022 Educative, Inc. All rights reserved
RELATED COURSES

View all Courses

Keep Exploring