Linked Questions
10 questions linked to/from Should I use CSRF protection on Rest API endpoints?
20
votes
2
answers
4k
views
Why is CSRF protection only applicable to web services with browser clients? [duplicate]
The Spring docs state:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-...
- 347
12
votes
2
answers
24k
views
Will "Authorization: Bearer" in request header fix CSRF attacks? [duplicate]
I have been reading on fixing CSRF attacks. From some research I understand that checking for a non-standard header would prevent CSRF attacks since the browser will not automatically send such ...
- 1,472
2
votes
1
answer
4k
views
CSRF-protection using authentication token in HTTP header? [duplicate]
I'm working on a web application which stores an authentication token in a cookie.
The only CSRF-protection is referrer checking.
I am considering improving this by moving the authentication token ...
- 23
1
vote
2
answers
1k
views
CSRF with a CORS JSON API [duplicate]
We have api.example.com that communicates with app.example.com, a native Android app and an iOS app. We want to allow other third parties to communicate with the API too if they want, and as such we ...
- 111
135
votes
4
answers
135k
views
Do I need CSRF token if I'm using Bearer JWT?
Context: Angular site is hosted on S3 behind CloudFront, separate from Express server that is used as API and almost all requests are XMLHttpRequests. All requests are sent without cookies (...
- 1,453
90
votes
5
answers
119k
views
CSRF protection with custom headers (and without validating token)
For a REST-api it seems that it is sufficient to check the presence of a custom header to protect against CSRF attacks, e.g. client sends
"X-Requested-By: whatever"
and the server checks the ...
- 1,003
20
votes
5
answers
21k
views
Does setting httponly prevent stealing a session using XSS?
If a session token is stored in a cookie that has httponly set, is there any way that a XSS vulnerability could allow a malicious user to steal a users session token?
- 8,175
2
votes
2
answers
3k
views
CSRF Origin and Referer Header just check host?
Note: This question is not the same as the linked possible duplicate. That question asks how checking the origin/referer header protects against CSRF. This questions is asking how to implement the ...
- 121
1
vote
0
answers
2k
views
Is it possible to do CSRF for POST request with an XML body
I am testing an application that send XML data as body in POST request. The application is not using any CSRF token
Is there any way to perform CSRF in this case. XHR does not works in latest browsers,...
- 311
0
votes
2
answers
279
views
This application is not using CSRF token but they are still able to protect sensitive actions on the site
This application is not using any CSRF token and not even cookies to identify users on their server. All they do is use a authorization header to identify users. Since an attacker doesn't know value ...
- 1