Why not include CSRF protection for GET apis?

0
votes

I was reading up on CSRF and came across this question: https://security.stackexchange.com/questions/36671/csrf-token-in-get-request

Multiple people online have also seem to indicate that one should not protect GET requests against CSRF. However, I am confused by why.

If your GET request contains sensitive information (like say personal info for a user), then you would want to protect it against CSRF right? Otherwise an attacker can steal personal info.

I get that you shouldn't include the token in the GET URL because those may be logged. However, can't you just include them in a custom header?

1
securitycsrfcsrf-protection

1 Answers

3
votes

CRSF attacks are blind. They typically send a request without being able to read the result of the action. The reason here is the Same Origin Policy.

SOP prevents you from reading RESPONSES received by other origins, meaning that you can't access the private stuff anyways.

CRSF protection instead protects REQUESTS in the sense that it adds a token which symbolizes that the request is started by the web app itself