Collaborate Disseminate
What I am building is service that can be consumed by third-party. Something like Omdb API for example.
For my service to be functional I needed to disable CSRF on some endpoints.
How can I secure them? To make CORS rules? To whitelist … Continue reading How to secure API used by third-parties?
Based on other questions, it seems protecting GET resources with CSRF tokens is useless. However, that quickly becomes untrue when CORS gets thrown into the mix
I have a server domain server.com and a UI app at client.com. The server.com … Continue reading Is CSRF protection required for sensitive GET requests with CORS enabled?
I’ve been using CORS for a while and I think I understand it. But as far as I can tell, because the allow-origin header is provided by the server being called, which an attacker can control as they see fit, same origin policy cannot preven… Continue reading With the existance of CORS, what further purpose does same origin policy serve?
I understand that the SameSite directive tries to protect against cross-origin leakages and CSRFs (see OWASP), but I don’t get why (on my browser at least) it applies to the cookie’s destination rather than on the client’s origin. As a con… Continue reading Why SetCookie’s SameSite directive applies the destination rather than the origin?
I realize that OWASP recommends CSRF tokens but I rarely see them used with public standalone HTTP APIs. This would seem to indicate that they’re not always necessary.
To make this a little more concrete, I would envision the following sc… Continue reading Do best practices eliminate the need for a CSRF token when writing an API server?
I realize that OWASP recommends CSRF tokens but I rarely see them used with public standalone HTTP APIs. This would seem to indicate that they’re not always necessary.
To make this a little more concrete, I would envision the following sc… Continue reading Do best practices eliminate the need for a CSRF token when writing an API server?
While testing a website for CORS misconfiguration, I have found that access-control-allow-origin header is being set dynamically based on host header in requests.
Is it safe or can be exploited?
Origin header is not gettin… Continue reading CORS misconfiguration
I would like to get some experts’ advice regarding the way I resolved the following issue:
Let’s say my personal app is hosted as an Azure App Service on https://example.azurewebsites.net
The JS client code running withing t… Continue reading CORS issue with WebApp on Azure + AAD
I found that a website protects itself of CSRF attacks by validating the POST request contains a specific header:
-Example-header: GF
What i find strange is that this header doesn’t have a csrf token in it, it is just a cu… Continue reading Custom header to avoid CSRF attacks? header without token
To summarize:
CSRF is an attack where a page in a different window/tab of the browser
sends nonconsensual request to an authenticated web app, that can typically
be prevented from server-side by checking the Referer, Origin header of the… Continue reading Clarification of relationship between CORS and CSRF [closed]