How can the Cookie-to-header-token CSRF protection technique be thwarted by permissive CORS origin header?

According to https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-header_token

The protection provided by this technique can be thwarted if the
target website disables its same-origin policy using one of the
following… Continue reading How can the Cookie-to-header-token CSRF protection technique be thwarted by permissive CORS origin header?

How can I securely disable CSRF validation for native clients when browser clients access the same API?

I have an API endpoint that is accessible by both native (console, mobile apps) and Javascript based clients.

How do I ensure that the CSRF AntiForgeryToken is only invoked during Javascript calls?

Can this be done in a no… Continue reading How can I securely disable CSRF validation for native clients when browser clients access the same API?

How does SupportsCredentials, Access-Control-Allow-Credentials, and CORS Origin=* relate?

I’m investigating CSRF implementations in ASP.NET, MVC, WebAPI the relationship between the headers that are sent:

A Javascript client call of XMLHttpRequest.withCredentials
A server response of Access-Control-Allow-Credent… Continue reading How does SupportsCredentials, Access-Control-Allow-Credentials, and CORS Origin=* relate?