[WEB SECURITY] How are you tackling CSRF?
paul at mcmillan.ws
Sat Apr 23 17:58:15 EDT 2011
Good point about CSRF tokens that are present but not actually validated.
>From your remediation step list, it sounds like you're using your
session token as the CSRF token. This is a really bad idea. Your
session cookie should be set to HTTP-only, to prevent it from being
malicious attackers may be able to use that information to steal your
If you hash your session cookie value and use that for your token, you
will (mostly) mitigate this problem.
In general, ALL forms should have CSRF protection. Things like search
don't appear to be important at first, until you imagine how easily a
non-CSRF search could be used to cause a DoS on your site. Search is
usually an expensive operation. Don't make it easier for attackers.
More information about the websecurity