Security Basics mailing list archives

Re: Cross-Site Request Forgeries

From: "Dave Hull" <dphull () trustedsignal com>
Date: Mon, 28 Jul 2008 07:21:59 -0500

On Fri, Jul 25, 2008 at 12:46 PM, Ricardo Tiago <rtiago () gmail com> wrote:


What methods exist to protect against Cross-Site Request Forgeries?
And what is the most efficient one?


Standard protection against CSRF is to include a cryptographically
strong nonce as a hidden form field value. This value is recorded
server side such that when the POST comes back to the server from the
client, the nonce that comes back is compared against what was
recorded server side, if they match, then you know that the POST is
really being submitted by someone who requested the page from your
server.

Your nonces should be set to expire.

-- 
Dave Hull

Current thread:

Cross-Site Request Forgeries Ricardo Tiago (Jul 27)
- Re: Cross-Site Request Forgeries Emilio Casbas (Jul 28)
- RE: Cross-Site Request Forgeries Sergio Castro (Jul 28)
- Re: Cross-Site Request Forgeries Dave Hull (Jul 28)
  - Re: Cross-Site Request Forgeries Gregory Rubin (Jul 28)