If we send an anti-csrf token in our header value how effective is this and is this a best way to secure the application from attacker.
Sending Anti-CSRF token in header is a good practice?
189 Views Asked by CyberInsects At
1
If we send an anti-csrf token in our header value how effective is this and is this a best way to secure the application from attacker.
A CSRF Attack (Cross Site Request Forgery) is a session riding attack, whereby typically the victim is sent to an attacker controlled website that uses some javascript to automatically submit a form POST to an endpoint on your application which changes some state.
The attack takes advantage of the way browsers use cookies, in that if you already have a session logged into yourcompany.com with cookies for your authentication, the cookies are automatically sent with any requests made to yourcompany.com.
The CSRF token comes in to play here by being an extra field that is required by the backend code validating the form submission. Because the attacker controlled site is typically not of the same Origin as "yourcompany.com" it does not have access to your cookies or session data. Therefore it can only pre-populate known fields ahead of time. You should generate a unique CSRF token per user, per session, and store it in your users sessions. Require the CSRF token to be submitted along with any form POST submissions that change state and validate that it is correct.
Hope this helps