Stipple.jl icon indicating copy to clipboard operation
Stipple.jl copied to clipboard

Published 20 hours ago verified publisher icon GenieFramework

CSRF Protection

Open giraffekey opened this issue 5 years ago • 2 comments
trafficstars

Since the library handles both client and server, I think it would be very helpful to have first class CSRF protection. The Echo framework provides middleware that has a good solution: https://echo.labstack.com/middleware/csrf

Basically: Backend generates a secure token and stores it in a cookie. All frontend requests from then on send the cookie in the header. The backend only accepts requests that contain the correct token in the header.

It works because although the cookie itself will always get sent during an attempted attack, only the intended client can read the cookie and place it in the header, so as long as the server is verifying the header for each request, session hijacking is not possible. Using secure, samesite strict, and httponly helps provide further security.

giraffekey avatar Sep 04 '20 06:09 giraffekey

@GiraffeKey Sounds like a great idea, I'll take a look! If you feel like trying to implement it, I'm happy to merge!

essenciary avatar Sep 15 '20 06:09 essenciary

Here is a good article about how it's done in Flask. Quite interesting read I think. https://testdriven.io/blog/csrf-flask/

mkschulze avatar Nov 13 '20 21:11 mkschulze