We are building 3 different applications MVC application, API, SPA (not Angular) with ASP.NET Core. All the actions in this application are only for authorized users. That's why we protect them wit...

I recently enabled CSRF protection in my web Application. There are around 100+ JSP pages containing FORM submission. What is the best way adding CSRF token : <input type="hidden" name="${_csrf...

I have application written in Symfony 2.8.11 and FosUserBundle 2.0.0-beta1. User can connect to the site via VPN or basic auth. Mostly they use Internet Explorer 11 on Windows 7. Some of them are ...

If I understand correctly, in a CSRF attack a malicious website A tells my browser to send a request to site B. My browser will automatically include my B cookies in that request. Although A cannot...

In Aurelia, there doesn't seem to be any support for CSRF protection yet, as opposed to AngularJS's XSRF-TOKEN header which is set automatically on all XHR requests by the AngularJS framework. How...

My Laravel5 website uses csrf tokens to prevent CSRF attacks. On Chrome and Firefox, eveything works fine. I submitted the site for my client to test and, when he uses Internet Explorer (9/10), he...

I am working on a Rails 5 api project which is used by mobile client with gem devise_token_auth for authorization. I am clear about what the warning means. 1st Question: CSRF protect should be t...

I have read multiple questions and answers here on StackOverflow about InvalidAuthenticityToken and protect_from_forgery but get none the wiser. I have a website that get hundreds of these errors...

I am pretty new to web security, and as I read more about the different attack vectors, my mind boggles that they are allowed in the first place. It's like the web was designed with a broken securi...

Is it necessary to use CSRF Protection when the application relies on stateless authentication (using something like HMAC)? Example: We've got a single page app (otherwise we have to append the ...

I am sending a POST request from an iOS client -(void)loadFavorite:(NSArray*)favorites{ //data and url preparation NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url cach...

I am working on a tomcat application. I am trying to add CSRF authentication token provided by catlina library(org.apache.catalina.filters.CsrfPrevention). I have added filter to web.xml <filt...

I am using <csrf/> tag in my spring security xml file for a web project. And sending csrf token in a form: <form action="" method="post"> <input type="hidden" name="${_csrf.paramete...

I am developing a Rails 4 app that serves a mobile app through an API, and has a web UI for admins to manage the application. There's also a couple of web pages that users will see (successful e-ma...

I have two web apps, one for the Web UI in AngularJS and one for the REST webservices in Java. Both are deployed on separate domains. The applications uses cookie for authentication. Whenever user...

A Cross-Site Request Forgery attack rides on the victim's session to submit malicious requests to a trusted site. The Cheat Sheet here describes CAPTCHA as a good way to prevent CSRF attacks. As w...

I'm trying to create a Facebook Page Tab which points to my website. Facebook sends a HTTP POST request to the url of my website. The problem here is that the server has a built-in CSRF check, and...

Django's CsrfViewMiddleware sets "Vary: Cookie" header, that means that cache system will take into account not only page URL but also user's Cookies that are unique for each user. So pages don't c...

This question is more a re-insurance than one directly about how to code. As an autodidact i did not have a lot of possibilities to ask professionals such things, so i try here. I have read the do...

I have read about CSRF and how the Unpredictable Synchronizer Token Pattern is used to prevent it. I didn't quite understand how it works. Let's take this scenario : A user is logged into a site ...

There are some discussing like this on SO claiming that csrf protection is not required for anonymous forms. Looking at the stackoverflow html code, when not logged in, you can see the csrf token ...

Disclaimer: My question is somewhat similar to this question and this question, but I have tried all the answers suggested in those threads and already spent few days struggling with the problem. ...

I copied some old code that was working in compojure 1.1.18 and other old libs, but using the latest versions I can't get it to work. Here's my minimal example code copied from the minimal example...

I'm integrating AngularJS into hackathon-starter. It was done as I mentioned it here with the following test.html and test.controller.js <div> The record: {{record}} </div> <div a...

I need to create "bulk actions" similar to wordpress posts management, so you can for example delete multiple records at a time. This is my approach, and works fine, but I'm sure it is not the be...