Closed franklindyer closed 3 months ago
Update: I've decided not to use Referer
-based validation at all, due to the possibility of excluding legitimate users whose Referer
headers are suppressed for some reason.
Update: though including a strict CSP is probably not a bad idea overall, I don't think it is actually necessary for remediating this particular issue.
The site needs some defense mechanisms against CSRF. These include:
Referer
-based blocking of malicious POST requests.Configuration of content security policy.Same-Site: Strict
for session cookies