Hacker's Docs
  • Main
  • Web Security
    • Security Headers
      • Content Security Policy
      • Same Origin Policy
    • Web Vulnerabilities
      • Cross Site Scripting
        • Stored XSS
      • Cross Site Request Forgery
        • CSRF Best Practices
        • CSRF Example Usages
      • Server Side Request Forgery
      • SQL Injection
  • Secure Coding Practices
    • Learning Resources
  • Cheatsheets
    • Security Tools
      • Nmap
      • Tcpdump
    • Cloud Tools
      • Argo
      • Docker
      • Kubernetes
    • Coding
      • Bash
      • Go
      • Python
      • C++
  • AI Security
    • Learning Resources
  • Coding Practices
    • Leetcode
    • API
    • Log Parsing
  • Penetration Testing
Powered by GitBook
On this page

Was this helpful?

  1. Web Security
  2. Web Vulnerabilities
  3. Cross Site Request Forgery

CSRF Example Usages

Good Example

Using the SameSite attribute correctly to enhance security by restricting the cookie to same-site requests:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict

Explanation:

  • sessionId=abc123: The cookie name and value.

  • Secure: Ensures the cookie is only sent over HTTPS.

  • HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.

  • SameSite=Strict: The cookie will only be sent for requests originating from the same site, providing strong protection against CSRF attacks.

Bad Example

Misusing the SameSite attribute or omitting it entirely, potentially leading to security vulnerabilities:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly

Explanation:

  • sessionId=abc123: The cookie name and value.

  • Secure: Ensures the cookie is only sent over HTTPS.

  • HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.

  • Missing SameSite attribute: Without the SameSite attribute, the cookie is sent with both same-site and cross-site requests by default, which could expose the application to CSRF attacks.

Another Bad Example

Using an inappropriate value for the SameSite attribute:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=None

Explanation:

  • sessionId=abc123: The cookie name and value.

  • Secure: Ensures the cookie is only sent over HTTPS.

  • HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.

  • SameSite=None: While this allows the cookie to be sent with cross-site requests, it can only be secure if combined with Secure. If Secure is not present, it leaves the application vulnerable to CSRF attacks.

PreviousCSRF Best PracticesNextServer Side Request Forgery

Last updated 9 months ago

Was this helpful?