search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.06k stars 3.79k forks source link

Update: Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md #1439

Closed Andrewp2 closed 6 days ago

Andrewp2 commented 1 week ago

What is missing or needs to be updated?

On line 84 we're told to use environment variables for a secret key:

  • A secret cryptographic key Not to confuse with the random value from the naive implementation. This value is used to generate the HMAC hash. Ideally, store this key as an environment variable.

However at Cryptographic_Storage_Cheat_Sheet.html#key-storage, we're told to not use environment variables

Avoid storing keys in environment variables, as these can be accidentally exposed through functions such as phpinfo() or through the /proc/self/environ file.

How should this be resolved?

One option is to change to:

  • A secret cryptographic key Not to be confused with the random value from the naive implementation. This value is used to generate the HMAC hash. Ideally, store this key as discussed in the Cryptographic Storage Page.
jmanico commented 1 week ago

Great find. Would you care to submit a PR?

szh commented 6 days ago

Yeah, this is clearly an out of date recommendation. If you're willing to make a PR to update it that would be awesome. If not just let me know and I can handle it.