Follow the Logic to Protect Against CSRF
Cross-site request forgery requires the site to trust the browser. Attackers abuse this trust by making the browser submit legitimate-looking requests to the web application. We fight this by adding watermarks, or things attackers canât forge, so that the site can differentiate between legitimate and forged requests.
In a CSRF attack, the attacker forces the browser to make a request. Attackers canât do that via AJAX because browsers by default donât allow cross-origin requests. Thus, CSRF is a blind attack, similar to blind SQL injection discussed in âAvoid SQL Injection Attacksâ. Attackers can make the requests but will typically not see the responses.
By default, websites canât make requests ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.