CSRF Example Usages

Good Example

Using the SameSite attribute correctly to enhance security by restricting the cookie to same-site requests:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict

Explanation:

  • sessionId=abc123: The cookie name and value.

  • Secure: Ensures the cookie is only sent over HTTPS.

  • HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.

  • SameSite=Strict: The cookie will only be sent for requests originating from the same site, providing strong protection against CSRF attacks.

Bad Example

Misusing the SameSite attribute or omitting it entirely, potentially leading to security vulnerabilities:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly

Explanation:

  • sessionId=abc123: The cookie name and value.

  • Secure: Ensures the cookie is only sent over HTTPS.

  • HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.

  • Missing SameSite attribute: Without the SameSite attribute, the cookie is sent with both same-site and cross-site requests by default, which could expose the application to CSRF attacks.

Another Bad Example

Using an inappropriate value for the SameSite attribute:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=None

Explanation:

  • sessionId=abc123: The cookie name and value.

  • Secure: Ensures the cookie is only sent over HTTPS.

  • HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.

  • SameSite=None: While this allows the cookie to be sent with cross-site requests, it can only be secure if combined with Secure. If Secure is not present, it leaves the application vulnerable to CSRF attacks.

Last updated

Was this helpful?