Cross Site Request Forgery Prevention
CSRF(cross-site request forgery) is the attack in which unwanted operations are performed on the currently authenticated user’s states like changing the password or transferring the fund, enabling/disabling any service.
In the worst scenario, it can be performed on the administrative account, in that case, it will compromise the security of the entire application.
For example, there is an endpoint to change the contact number
One of the ways to carry out the CSRF is that intruder can exploit the URL which is most likely to be clicked by the user.
<a href='http://mysite.com/change-number?new=54321'">Check your daily horoscope</a>
Here are the few ways to prevent the CSRF attack:
1.) Prevent performing the actions that change the user state like password reset, change primary email in the GET request.
3.) For the requests that don’t use form encoding, the random value can be given in the headers
4.) Enable user interaction, in the critical transactions, involve the user to verify his/her authenticity by OTP, CAPTCHA or ask for the account password.
5.) Prevent sending the cookie along with cross-site requests by setting the SameSite attribute to strict
Set-Cookie: sessionid='<your id>'; SameSite=Strict
Some of the precautionary steps that can be taken by the user to prevent CSRF attacks are:
1.) Perform the sensitive work such as banking in the `private/incognito` mode of the browser.
2.) Don’t allow the sites to remember your `username/password`
4.) Logout from the applications after the work is done.
That’s it. Hope you find it useful.
About CauseCode: We are a technology company specializing in Healthtech related Web and Mobile application development. We collaborate with passionate companies looking to change health and wellness tech for good. If you are a startup, enterprise or generally interested in digital health, we would love to hear from you! Let's connect at email@example.com