Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: Is your web application really secure? ("CSRF")

by Joost (Canon)
on Mar 27, 2007 at 19:02 UTC ( #606838=note: print w/ replies, xml ) Need Help??


in reply to Is your web application really secure? ("CSRF")

I've thought for a while now that browsers probably shouldn't allow POST requests for another domain (especially scripted ones). Unfortunately that would break lots and lots of web applications so the chances of it being implemented are somewhere around zero.

One thing that might help a bit is to set up your webserver to prohibit POSTs that don't have a referer header from your trusted site(s). I'm pretty sure there's a way to do that in apache.

As far as I know you a malicious site can't fake a referer header* (unless maybe if you allow cross-site XMLHTTP - but all modern browsers prohibit that - right?)

Good suggestion on the tokens, by the way.


Comment on Re: Is your web application really secure? ("CSRF")
Re^2: Is your web application really secure? ("CSRF")
by betterworld (Deacon) on Mar 27, 2007 at 19:31 UTC
    I've thought for a while now that browsers probably shouldn't allow POST requests for another domain (especially scripted ones). Unfortunately that would break lots and lots of web applications
    A good start would be to warn the user that the form is sent to an external site, and not to send cookies.
Re^2: Is your web application really secure? ("CSRF")
by MidLifeXis (Prior) on Mar 29, 2007 at 17:26 UTC

    As far as I know you a malicious site can't fake a referer header* (unless maybe if you allow cross-site XMLHTTP - but all modern browsers prohibit that - right?)

    Never trust the browser

    --MidLifeXis

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://606838]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (8)
As of 2014-12-26 03:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (164 votes), past polls