with new session generate random token (for example: csrf-token) [back-end]
put it into cookie [back-end]
when POST request sent from front-end, read the value from cookie and put it into x-csrf-token header [front-end]
when POST request accepted, compare values in cookie and header [back-end]
It's a severe flow in security, however right now there is no reason for someone to try to exploit it. Worst it can do is to delete some ratings, which are backed up every day.
RomanistHere
commented
2 years ago
https://stackoverflow.com/questions/20504846/why-is-it-common-to-put-csrf-prevention-tokens-in-cookies https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html https://github.com/pillarjs/understanding-csrf https://www.npmjs.com/package/csrf
csrf-token) [back-end]x-csrf-tokenheader [front-end]It's a severe flow in security, however right now there is no reason for someone to try to exploit it. Worst it can do is to delete some ratings, which are backed up every day.