Setup CSRF

[briri]

Research CSRF implementation for GraphQL as well as NodeJS Express server.

• [ X] Figure out where to implement CSRF protection
• [X ] Is the implementation different for Apollo Server than from other non-graphql endpoints, like "/login"?
• [X ] Would it make sense to implement CSRF protection in NextJS?

[jupiter007]

Apollo Server: This is what I found out about Apollo Server. As of Apollo Server 4, it ships with a feature that protects users from CSRF and XS-Search attacks. It requires that the client include an "Apollo-Require-Preflight" or "Content-Type: "application/json". headers to require preflight requests that block CSRF attacks.

Here are the Apollo Server docs for csrf handling: https://www.apollographql.com/docs/apollo-server/security/cors/#preventing-cross-site-request-forgery-csrf

CSRF Protection on NextJS frontend It doesn't make sense to manage CSRF protection on the NextJS end, because authentication will be handled on the backend server side, and forms for /login and /signup will be POSTed to the backend server.

Is CSRF Protection necessary for /login and /signup Outside of the GraphQL endpoints, there are currently only two endpoints that exist in the backend server: /login and /signup. CSRF protection is primarily necessary when your application uses cookies to store authentication tokens, but if our server exclusively retrieves JWT tokens from request headers, like the Authorization header, it seems that CSRF attacks are not directly applicable.