Cross-site request forgery (
CSRF) is a type of security exploit where a user’s web browser is tricked by a third-party site into performing actions on websites that the user is logged into. It is often a difficult attack to pull off, as it requires a number of factors to line up at once. Protecting against it requires good discipline and good design practices, especially when it comes to protecting Web APIs.
The various mechanisms for protecting against a CSRF attack aren’t particularly complex or difficult to implement. However, they require some discipline to follow. In my experience, retrofitting an application with proper CSRF protection is difficult; individual edge cases pop-up that lead to disabling protection here and there, and eventually the system is hardly protected at all.
No comments:
Post a Comment