Security Basics mailing list archives
Re: Cross-Site Request Forgeries
From: "Dave Hull" <dphull () trustedsignal com>
Date: Mon, 28 Jul 2008 07:21:59 -0500
On Fri, Jul 25, 2008 at 12:46 PM, Ricardo Tiago <rtiago () gmail com> wrote:
What methods exist to protect against Cross-Site Request Forgeries? And what is the most efficient one?
Standard protection against CSRF is to include a cryptographically strong nonce as a hidden form field value. This value is recorded server side such that when the POST comes back to the server from the client, the nonce that comes back is compared against what was recorded server side, if they match, then you know that the POST is really being submitted by someone who requested the page from your server. Your nonces should be set to expire. -- Dave Hull
Current thread:
- Cross-Site Request Forgeries Ricardo Tiago (Jul 27)
- Re: Cross-Site Request Forgeries Emilio Casbas (Jul 28)
- RE: Cross-Site Request Forgeries Sergio Castro (Jul 28)
- Re: Cross-Site Request Forgeries Dave Hull (Jul 28)
- Re: Cross-Site Request Forgeries Gregory Rubin (Jul 28)