A modern approach to preventing CSRF in Go
2 days ago
- #CSRF Protection
- #Go
- #Web Security
- Go 1.25 introduced the `http.CrossOriginProtection` middleware to prevent CSRF attacks without token-based checks.
- The middleware checks `Sec-Fetch-Site` and `Origin` headers to reject non-safe cross-origin requests.
- Limitations include effectiveness only in modern browsers and reliance on HTTPS for full functionality.
- Enforcing TLS 1.3 ensures browser support for necessary headers, mitigating most CSRF risks.
- SameSite cookies (`SameSite=Lax` or `Strict`) provide additional defense against cross-site request forgery.
- Combining HTTPS, TLS 1.3, `http.CrossOriginProtection`, and SameSite cookies minimizes CSRF/CORF risks.
- Unmitigated risks include same-site CORF attacks in Firefox v60-69 and attacks from non-major browsers.
- Conditions for avoiding token-based CSRF checks include strict HTTPS usage and browser support assumptions.