essenciary
commented
3 years ago @GiraffeKey Sounds like a great idea, I'll take a look! If you feel like trying to implement it, I'm happy to merge!
Open giraffekey opened 3 years ago
essenciary
commented
3 years ago @GiraffeKey Sounds like a great idea, I'll take a look! If you feel like trying to implement it, I'm happy to merge!
mkschulze
commented
3 years ago Here is a good article about how it's done in Flask. Quite interesting read I think. https://testdriven.io/blog/csrf-flask/
Since the library handles both client and server, I think it would be very helpful to have first class CSRF protection. The Echo framework provides middleware that has a good solution: https://echo.labstack.com/middleware/csrf
Basically: Backend generates a secure token and stores it in a cookie. All frontend requests from then on send the cookie in the header. The backend only accepts requests that contain the correct token in the header.
It works because although the cookie itself will always get sent during an attempted attack, only the intended client can read the cookie and place it in the header, so as long as the server is verifying the header for each request, session hijacking is not possible. Using secure, samesite strict, and httponly helps provide further security.