How to protect against CSRF

3
votes

How can I protect my website against Cross-Site Request Forgery attack? I am visiting a "normal" website. (f.e. normal.php) In the background it loads another website (f.e. victim.php/send_comment) where I'm already logged in. The website fills the comment boxes of the victim.php with JS and automatically send the request.

In the web I always find the trick to use tokens against CSRF. But in this example, the website normal.php will get the token, when it loads the other website. Am I misunderstanding how the token works? If not, how can i prevent my site from accepting this request?

1
tokencsrf

1 Answers

1
votes

The whole idea of CSRF is that you can't get victim.php/send_comment without a token from a previous page you've visited.

You form a "chain" of requests from your initial login until you get there, where each request is authorized by the previous one - unless you intercept the login page, there should be no way to forge requests.

The easiest and safest way of doing this is just using a web framework that handles CSRF for you. Doing it by hand is probably unnecessary and error-prone.