Cross-Site Request Forgery

An attack when user using cookie:

1. Victim logs in to like bank
2. Victim browser set credential in cookie
3. Victim visits evil.comevil.com triggers request to bank.com
4. Browser sends cookie
5. bank.com trusts request

// if jwt is sent in header (bearer), immune since do NOT auto-send Authorization headers

CSRF Protection Techniques

1. CSRF Tokens (Most Common)
   • Store token in either request body OR header
   • Never rely on cookie alone.

Server → random token
Client → include token in request (request body OR header)
Server → verify

1. SameSite Cookies

   • Strict
     • Strict for same site

   google.com → yoursite.com ❌ cookie NOT sent
   yoursite.com → yoursite.com ✅ cookie sent
   

   • Lax (modern browser default)
     • Same-site requests
     • Top-level navigation (GET)

   Link click → yoursite.com (GET) ✅
   Form POST from evil.com ❌
   

   • None
     • Cookie is sent always

   evil.com → yoursite.com ✅ cookie sent
   

2. Double Submit Cookie

   • CSRF token in cookie
   • Same token in request body/header
   • Workflow:

     1. Server sends this cookie: csrf = 123ABC

     2. Browser stores it.

     3. JS reads the cookie value (123ABC)

     4. Sends it again inside the request

        Cookie: csrf=123ABC
        X-CSRF-Token: 123ABC
        

     5. Server checks whether both match.

   • XSS can break double submit (since it can read)