Cross-Site Request Forgery
11 days ago
- #Authentication
- #CSRF
- #Web Security
- CSRF (Cross-Site Request Forgery) is an attack where the browser sends a request using the user's cookies or network position.
- Applications using cookies for authentication need CSRF protection to distinguish authenticated requests from untrusted sources.
- Same-site vs. same-origin requests are defined, with HTTPS and HTTP origins having different trust levels.
- Countermeasures include CSRF tokens (double-submit or synchronized), Origin header checks, SameSite cookies, and Fetch metadata.
- Fetch metadata (Sec-Fetch-Site header) is recommended for CSRF mitigation in modern browsers.
- A comprehensive CSRF protection algorithm is proposed, prioritizing Fetch metadata, with fallbacks for older browsers.
- Go 1.25 introduces a CrossOriginProtection middleware implementing the proposed algorithm.