CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

Update: Table of Contents for CSRF Cheat Sheet

Open mkhanas opened this issue 1 month ago • 9 comments

What is missing or needs to be updated?

With the addition of the Fetch Metadata section, the CSRF Cheat Sheet has become somewhat harder to navigate. Currently, recommended mitigation patterns are mixed in the middle of the table of contents, which may make it less clear for developers to quickly find core recommendations.

The list in the Introduction section may also need updating to reflect any reordering.

This was brought up as part of the Update Fetch Metadata positioning PR, and it was decided to create a separate issue to discuss possible updates.

How should this be resolved?

The structure could look more like this:

## Disallowing Simple Requests
## Token-Based Mitigation
...
## Fetch Metadata Headers
## Dealing with Client-Side CSRF Attacks
## Defense In Depth Techniques

We discussed this as a possible high-level structure, but there are definitely other improvements to be made, especially at the subsection level, to improve clarity and prioritisation of the content.

mkhanas avatar Nov 16 '25 11:11 mkhanas

Hello, I'd like to work on this issue. I've reviewed the discussion and the current state of the CSRF Prevention Cheat Sheet, and I agree that the structure could be improved for better readability and navigation.

The current layout mixes primary mitigation strategies with defense-in-depth techniques, and the addition of the Fetch Metadata section has made it harder to follow the recommended mitigations in a prioritized order.

To resolve this, I propose the following plan:

  1. Restructure the main sections to present mitigation strategies in a more logical flow, as discussed in the issue. The new order would be:

    • Disallowing Simple Requests
    • Token-Based Mitigation
    • Fetch Metadata Headers
    • Dealing with Client-Side CSRF Attacks
    • Defense In Depth Techniques

  2. Improve content grouping: To further enhance the structure, I would also move the "JavaScript: Automatically Including CSRF Tokens..." section to be a subsection under "Token-Based
    Mitigation," as it provides implementation details for that strategy.

  3. Update the Introduction: Finally, I will update the list of principles in the "Introduction" to reflect this new, prioritized structure, making it a better guide for the reader.

I believe these changes would address the concerns raised and make the cheat sheet more accessible for developers.

If this plan sounds good, please assign this issue to me. I'm ready to implement the changes and submit a pull request.

macyman1 avatar Nov 18 '25 11:11 macyman1

@macyman1 do not work on this issue yet because it cannot be work on before we merge https://github.com/OWASP/CheatSheetSeries/pull/1875

mackowski avatar Nov 18 '25 11:11 mackowski

Got it, thanks for the heads-up. I'll wait for the merge#1875 to be completed before I start.

macyman1 avatar Nov 18 '25 12:11 macyman1

Can I start working on this issue?

macyman1 avatar Nov 19 '25 06:11 macyman1

@macyman1 We're done with the changes in #1875, I think you can start.

mkhanas avatar Dec 04 '25 17:12 mkhanas

can you assign me this issue ? i already proposed my plan.

macyman1 avatar Dec 06 '25 14:12 macyman1

Can't do that, for that you need @mackowski

mkhanas avatar Dec 06 '25 15:12 mkhanas

@mackowski can you assign me this task?

macyman1 avatar Dec 07 '25 08:12 macyman1

Assigned

szh avatar Dec 07 '25 16:12 szh