16 Cross-site request forgery

This chapter covers

Managing session ID usage
Following state management conventions
Validating the Referer header
Sending, receiving, and verifying CSRF tokens

This chapter examines another large family of attacks, cross-site request forgery (CSRF). A CSRF attack aims to trick the victim into sending a forged request to a vulnerable website. CSRF resistance boils down to whether or not a system can distinguish a forged request from a user’s intentional requests. Secure systems do this via request headers, response headers, cookies, and state management conventions; defense in depth is not optional.

16.1 What is request forgery?

Suppose Alice deploys admin.alice.com, the administrative counterpart of her online ...

Get Full Stack Python Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Full Stack Python Security by Dennis Byrne

16 Cross-site request forgery

16.1 What is request forgery?

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly