Hi Isomorphic,
until now we used the recommended approach by setting CSRF token to the RPCManager actionURL. But after the last audit we got following request from security department:
Is there some way how to handle it on global level, because going to hunt down all DSRequests all across the app would be very hard.
Regards
Matus
until now we used the recommended approach by setting CSRF token to the RPCManager actionURL. But after the last audit we got following request from security department:
However, the token must stay in the message body or custom headers and not URL or cookie. I understood from your message that you rely on SSL in order to keep the token in the URL. But I would like to ask to stick to the best practices and keep the token off the URL and cookie, because there are different attack vectors.
Quote from OWASP cheat sheet:
“CSRF tokens in GET requests are potentially leaked at several locations, such as the browser history, log files, network appliances that log the first line of an HTTP request, and Referer headers if the protected site links to an external site.”
Quote from OWASP cheat sheet:
“CSRF tokens in GET requests are potentially leaked at several locations, such as the browser history, log files, network appliances that log the first line of an HTTP request, and Referer headers if the protected site links to an external site.”
Regards
Matus
Comment