💬 CSRF Protection?

[Sydney-o9]

Hi Team,

I can't see any logic for CSRF protection.

Whether that is on the login form for Login CSRF or on the profile form for typical CSRF attacks.

Can you confirm?

Thank you Team

[roschaefer]

Hi @Sydney-o9 thanks for this heads up about CSRF! I think you are correct that we don't have any particular CSRF protection in place. However I'm not quite sure how vulnerable we are to CSRF if we use JWT Bearer tokens. A quick research gave me this and this.

Maybe we could add some extra assurance by disallowing cookies in our backend like the thread opener of the first link suggested. :thinking:

I think it would help me and others if you could outline an example how a CSRF attack could look like in our case? Feel free to use our staging environment: https://nitro-staging.human-connection.org/ it should always run the lastest master branch.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Tirokk]

@roschaefer @mattwr18 @ogerly @alina-beck @datenbrei What can and what should we do about this security problem?

@Sydney-o9 can you be a help with this?

[datenbrei]

I had a look at it. There seem to be some solutions on a framework level, like JSON-Web-Tokens ( JWT )/Bearer Tokens. Maybe, we can make use of existing solutions? Are there?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Tirokk]

Still for the future …

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Tirokk]

Still valid I think