reeshabhranjan
commented
2 years ago Also, I think SameSite=strict should be enough, but I am still not so sure about it.
Open reeshabhranjan opened 2 years ago
reeshabhranjan
commented
2 years ago Also, I think SameSite=strict should be enough, but I am still not so sure about it.
The way we have implemented authentication right now is by utilising long lived Tokens stored in the internal storage (client-side). This prevents CSRF attacks. However, it makes the attack radius of XSS attacks much higher. This is because in case an XSS attack occurs, the injected malicious JS code will be able to read the cookie from the storage easily.
Initial thoughts One way is to use HTTP_ONLY cookies marked as
strictin the SameSite settings of the cookie. Although this will prevent the injected JS code from accessing the cookie itself, it will still open doors for CSRF attack which was not possible in the current scenario. Simple JWT tokens that are available as a library for Django doesn't support anti-CSRF tokens. The idea of the anti-CSRF tokens is having one HTTP_ONLY cookie and the other part of the token should be readable by the JS. The combination of these two will make sure that any POST request made by the client will be checked for Anti-CSRF tokens.We can have a discussion on this to understand more about it. I am putting it as an issue here to keep track of it so that we don't forget about it.