mohammadobaid1
commented
6 years ago Will referrer based protection works for you to prevent csrf attacks ?
Open MarioArnt opened 6 years ago
mohammadobaid1
commented
6 years ago Will referrer based protection works for you to prevent csrf attacks ?
MarioArnt
commented
6 years ago If you mean implement referrer policy based on CORS headers it would be great. This article seems quite exhaustive on the topic https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendations_For_Automated_CSRF_Defense
mohammadobaid1
commented
6 years ago Yeah referer based protection . Wil have to do at api level which checks for referer header value before process something . I will try to do it in coming weekend and then submit PR once completed. :)
MarioArnt
commented
6 years ago Great, thanks a lot !
Need to audit the security of the app. We purposely don't want the user to have to log in. He can create and join list as a guest user. That's fine but we don't use CRSF tokens. Nee to fix that vulnerability.