Skip to content

PR issue#1011 #1623

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

PR issue#1011 #1623

wants to merge 10 commits into from

Conversation

Pastekitoo
Copy link
Contributor

@Pastekitoo Pastekitoo commented Mar 6, 2025
edited
Loading

Update of Cross-Site Request Forgery Prevention Cheat Sheet
This PR fixes issue#1011
Am I in the right direction for this issue ? What's missing ?
PR by me and ouch3n

mackowski
mackowski requested changes Mar 10, 2025
View reviewed changes
Copy link
Collaborator

@mackowski mackowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This duplicates content from "Employing Custom Request Headers for AJAX/API"

@mackowski
Copy link
Collaborator

This change require bigger changes ;-) For example you are adding technique that is already described https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md#employing-custom-request-headers-for-ajaxapi

jmanico
jmanico previously approved these changes Mar 10, 2025
View reviewed changes
@mackowski
Copy link
Collaborator

@Pastekitoo do you want to work on this? You will need to merge what you have here with 'Employing Custom Request Headers for AJAX/AP' so we do not duplicate the content

@Pastekitoo
Copy link
Contributor Author

@mackowski I wasn't sure how to merge my part and 'Employing Custom Request Headers for AJAX/AP', so I tried something, let me know what you think.

@mackowski
Copy link
Collaborator

You cannot add this content without changing exisiting content because the protection that you are describing is already described here https://github.com/OWASP/CheatSheetSeries/pull/1623/files#diff-02bc1fbe932c98d807eedbfc2a54ef8c5dbb33feb7b5400cf484a740228530f4L129

Employing Custom Request Headers for AJAX/API

Both the synchronizer token and the double-submit cookie are used to prevent forgery of form data, but they can be tricky to implement and degrade usability. Many modern web applications do not use <form> tags to submit data. A user-friendly defense that is particularly well suited for AJAX or API endpoints is the use of a custom request header. No token is needed for this approach.
In this pattern, the client appends a custom header to requests that require CSRF protection. The header can be any arbitrary key-value pair, as long as it does not conflict with existing headers.

X-YOURSITE-CSRF-PROTECTION=1

When handling the request, the API checks for the existence of this header. If the header does not exist, the backend rejects the request as potential forgery. This approach has several advantages:

  • UI changes are not required
  • no server state is introduced to track tokens
    This defense relies on the CORS preflight mechanism which sends an OPTIONS request to verify CORS compliance with the destination server. All modern browsers designate requests with custom headers as "to be preflighted". When the API verifies that the custom header is there, you know that the request must have been preflighted if it came from a browser.

@mackowski mackowski requested a review from jmanico April 16, 2025 06:18
@jmanico
Copy link
Member

jmanico commented Apr 16, 2025

I second what @mackowski is saying and will hold off on approving this until he is satisfied.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@mackowski mackowski mackowski requested changes

@andrzejsydor andrzejsydor andrzejsydor approved these changes

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

@jmanico jmanico Awaiting requested review from jmanico jmanico is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Pastekitoo @mackowski @jmanico @andrzejsydor