search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.1k stars 3.8k forks source link

Update: CSRF by disallowing simple requests #1309

Closed jackevans43 closed 4 months ago

jackevans43 commented 5 months ago

What is missing or needs to be updated?

For CSRF mitigations, should a section be included to suggest for modern APIs that don't use forms, that the API denies simple content types (application/x-www-form-urlencoded, multipart/form-data, text/plain) that would enforce CORS and mitigate CSRF?

How should this be resolved?

Add a section on configuring an API (or reverse proxy, API gateway) to disallow simple content-types

birch-jayton commented 4 months ago

I agree and want to throw in my two cents.

There is a section on Employing Custom Request Headers for AJAX/API. By having the API assert that there is a custom header in the request, you are also asserting that the request was not simple.

However, a custom header is not the only way to assert that a request is not simple. A content-type header of application/json also makes the request preflight and causes the request not to be simple (as you mention). JSON based applications are extremely common. If a client and server are already using json, having the API assert that content-type is application/json would (typically) require no extra work on the client whereas the custom header technique requires work on the client to ensure ALL requests being sent have that header.

IMO, "Disallow non-simple requests" would be a primary section and the existing Employing Custom Request Headers for AJAX/API section would be a subsection of that.

mackowski commented 4 months ago

@birch-jayton and @jackevans43 yes this section can be improved! There is also related issue #1216 do you want to work on that.