Friday, October 24, 2014

Cross-Site Request Forgery Prevention

Cross-site request forgery (CSRF or XSRF) happens when an attacker embeds a tag like <img src=""> in a malicious web page on When user visits the page, authentication cookies are sent to despite the page origin. Forms that POST to can be embedded in a malicious page as well. "Referer" can be forged if redirects to canonicalize URL.

One solution to prevent the attack is to both: (1) use an unguessable secret cookie rotated regularly, and (2) require the same secret to appear in the POST request as a hidden form field.

If the secret appears in the URL, and if the attacker may embed content in, then when loads a page on, the "Referer" header would reveal the secret.