Collaborate Disseminate
I am solving PortSwigger’s lab: "CSRF where token is tied to non-session cookie". For testing SameSite attribute I created a cookie in my browser with SameSite=Strict for domain https://<id>.web-security-academy.net/.
Then… Continue reading Browser sends cookie with "SameSite=Strict" attribute on another domain
Are there any security risks to returning a user’s JWT in the response body to a GET request? The JWT is only returned for authenticated users. Authentication is managed via a JWT stored as a HttpOnly, Secure, SameSite:Lax cookie.
Flow, in… Continue reading Security risks to returning JWT token in the response body to a GET request?
My question is : Is this approach correct given I have a non-Oauth service? My goal is to use the simplest amount of security features while still being as strong as possible.
My approach is as follows and I am asking for feedback on wheth… Continue reading I have a non-Oauth service and am using this approach with Server initiated HttpOnly cookies with stripped JWT
We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active use… Continue reading I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?
Conventional wisdom to prevent CSRF is to use CSRF tokens, but with the new cookie attributes and prefixes, do you even need to generate/save tokens at all?
I’ve had the thought that if I just set a cookie with a static value, I can simply… Continue reading Is a static SameSite cookie enough to protect against CSRF?
As I understand it, the SameSite attribute for cookies helps me advise standard browsers what they can do with them.
So if I’m a server running on http://acme.com/my-app and I’ve set a cookie like:
Set-Cookie: JSESSIONID=1234567890abcdef; … Continue reading Why does Chrome require Secure for SameSite=None cookies?
I have read Incrementally Better Cookies, a couple of web.dev articles and tried to google for "same-origin cookies" but could not find anything so I wonder if this is being worked on.
SameSite=Strict & Lax are a very good pr… Continue reading Would "same-origin cookies" make sense?
I have a mostly public API with some parts of it "credentialed" behind cookies, similarly to e.g. how WordPress’ REST API works. (In our case, it’s a GraphQL API but that shouldn’t matter.)
I want to enable CORS for it and am con… Continue reading Difference between `Access-Control-Allow-Origin: *` (wildcard) and specific origins
I have read that storing the jwt token within the httponly secure cookie is the recommended way to prevent both csrf attacks and xss attacks.
When a user goes to my website they may make an api call like so
POST mygatewayproxy.example/logi… Continue reading Setting httponly secure cookies in microservice architecture
I am working on securing a Blazor WASM site. So far I have a Auth API so that my multiple apps can use one auth service. I also have a Blazor WASM site. I am tying to mimic the Anti-Forgery Tokens that a Asp.Net site would have. Since my s… Continue reading Blazor WASM Anti-Forgery Token