Fixes #8 Vulnerable to CSRF

bkesk / bad-apps-blog

An insecure blog web app intended for practice with application security.

Other

0 stars 0 forks source link

Closed bkesk closed 2 years ago

bkesk commented 2 years ago

Added two layers of defense against CSRF attacks.

(primary defense) pass an anti-CSRF token to the user which must be returned with all POST forms in order for the transaction to be accepted.
(secondary defense) set the SameSite: Strict cookie flag at the application level

Additionally, all POST requests against the application which do not include the necessary token are logged as possible CSRF attacks.

bkesk commented 2 years ago

Updated tests involving protected POST forms to include a token where needed. Also added some basic security unit tests for the anti-CSRF tokens.