[WEB SECURITY] How are you tackling CSRF?

James Manico jim at manico.net
Sun Apr 24 16:27:31 EDT 2011


> Protecting only POST requests with tokens, but not GET. It looks like
some web developers are lazy (or it's hard for them) to add tokens to GET
requests.

Hang on a sec. W3C recommendations state that GET requests should be
idempotenent (non-state changing) and therefor should not require CSRF token
protection.

Admittedly, this is the ideal. Many developers use GET requests for state
changing operations.

But GET based tokens cause serious scalability problems when you are dealing
with CDN's (content delivery networks) like Akamai.

I could go on, but the key here is that this is not about "developer
laziness". CSRF defense is more complex of a design decision than appears at
first glance.

More here:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Jim Manico

On Apr 23, 2011, at 3:59 PM, "MustLive" <mustlive at websecurity.com.ua> wrote:


2. Protecting only POST requests with tokens, but not GET. It looks like
some web developers are lazy (or it's hard for them) to add tokens to GET
requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110424/da01b9b4/attachment-0003.html>


More information about the websecurity mailing list