csrf defense methods include: 1. Verify the HTTP Referer field; 2. Add token to the request address and verify it; 3. Customize attributes in the HTTP header and verify it. CSRF is an attack method that coerces users to perform unintended operations on the web application they are currently logged in to.
csrf is an attack method that coerces users to perform unintentional operations on the currently logged-in web application.
csrf defense method:
There are currently three main strategies to defend against CSRF attacks:
1. Verify the HTTP Referer field;
2. In the request address Add token and verify;
3. Customize attributes in HTTP header and verify.
Let’s talk about it in detail:
(1) Verify the HTTP Referer field
According to the HTTP protocol, there is a field in the HTTP header called Referer, which records the source address of the HTTP request. Typically, requests to access a secure restricted page originate from the same website. If a hacker wants to implement a CSRF attack on a bank's website, he can only construct a request on his own website. When a user sends a request to the bank through the hacker's website, the Referer of the request points to the hacker's own website.
Therefore, to defend against CSRF attacks, the bank website only needs to verify its Referer value for each transfer request. If it is a domain name starting with bank.example, it means that the request is from the bank website itself. Yes legal. If the Referer is another website, it may be a CSRF attack by a hacker and the request will be rejected.
The obvious benefit of this method is that it is simple and easy to implement. Ordinary developers of the website do not need to worry about CSRF vulnerabilities. They only need to add an interceptor to all security-sensitive requests at the end to check the Referer value. can. Especially for the current existing system, there is no need to change any existing code and logic of the current system, there is no risk, and it is very convenient.
(2) Add token to the request address and verify
The reason why the CSRF attack can be successful is because the hacker can completely forge the user's request, and all the requests in the request All user authentication information exists in cookies, so hackers can directly use the user's own cookies to pass security verification without knowing the authentication information.
To resist CSRF, the key is to put information in the request that hackers cannot forge, and this information does not exist in cookies. You can add a randomly generated token as a parameter to the HTTP request, and create an interceptor on the server side to verify the token. If there is no token in the request or the token content is incorrect, it is considered that it may be a CSRF attack and the request will be rejected. .
(3) Customize attributes in the HTTP header and verify
This method also uses tokens and performs verification. The difference from the previous method is that here Instead of putting the token as a parameter in the HTTP request, it puts it in a custom attribute in the HTTP header. Through the XMLHttpRequest class, you can add the csrftoken HTTP header attribute to all requests of this type at once, and put the token value into it.
This solves the inconvenience of adding token to the request in the previous method. At the same time, the address requested through XMLHttpRequest will not be recorded in the browser's address bar, and there is no need to worry about the token being leaked to other websites through the Referer. Go in.
However, this method has great limitations. The XMLHttpRequest request is usually used for partial asynchronous refresh of the page in the Ajax method. Not all requests are suitable to be initiated with this class, and the page obtained through this class request cannot be recorded by the browser, so that forward, backward, and refresh can be performed. , collection and other operations bring inconvenience to users.
In addition, for legacy systems that do not have CSRF protection, if you want to use this method for protection, you must change all requests to XMLHttpRequest requests. This will almost rewrite the entire website, which is undoubtedly costly. It's unacceptable.
If you want to know more related issues, you can visit php Chinese website.
The above is the detailed content of What are the CSRF defense methods?. For more information, please follow other related articles on the PHP Chinese website!

随着互联网的发展,Web服务器和应用程序变得越来越复杂,安全攻击也渐渐增多,Nginx是Web服务器和负载均衡技术中使用最广泛的工具之一。Nginx的反向代理机制可以使其成为一个可靠的应用服务器,同时也是一个被广泛攻击的目标。在这篇文章中,我们将探讨如何在Nginx反向代理中防御HTTP请求嗅探攻击。什么是HTTP请求嗅探攻击?HTTP请求嗅探攻击是一种常见

PHPSession跨域与跨站请求伪造的对比分析随着互联网的发展,Web应用程序的安全性显得格外重要。在开发Web应用程序时,PHPSession是一种常用的身份验证和会话跟踪机制,而跨域请求和跨站请求伪造(CSRF)则是两种主要的安全威胁。为了保护用户数据和应用程序的安全性,开发人员需要了解Session跨域和CSRF的区别,并采

PHP框架安全指南:如何防止CSRF攻击?跨站点请求伪造(CSRF)攻击是一种网络攻击,其中攻击者诱骗用户在受害者的网络应用程序中执行非预期操作。CSRF如何工作?CSRF攻击利用了一个事实:大多数Web应用程序允许在同一个域名内不同页面之间发送请求。攻击者创建恶意页面,该页面向受害者的应用程序发送请求,触发未经授权的操作。如何防止CSRF攻击?1.使用反CSRF令牌:向每个用户分配一个唯一的令牌,将其存储在会话或Cookie中。在应用程序中包含一个隐藏字段,用于提交该令牌

Laravel中的跨站脚本攻击(XSS)和跨站请求伪造(CSRF)防护随着互联网的发展,网络安全问题也变得越来越严峻。其中,跨站脚本攻击(Cross-SiteScripting,XSS)和跨站请求伪造(Cross-SiteRequestForgery,CSRF)是最为常见的攻击手段之一。Laravel作为一款流行的PHP开发框架,为用户提供了多种安全机

Java是一种广泛使用的编程语言,用于开发各种类型的应用程序。然而,由于其流行程度和广泛使用,Java程序也成为了黑客攻击的目标之一。本文将讨论如何使用一些方法来保护Java程序免受命令注入攻击的威胁。命令注入攻击是一种黑客攻击技术,通过在输入参数中插入恶意命令,来执行不受控制的操作。这种攻击可以让黑客执行系统命令、访问敏感数据或者获取系统权限。为了防止这种

随着网络的不断发展,网页应用也越来越多,然而,安全问题也越来越引起人们的关注。CSRF(CrossSiteRequestForgery,即跨站请求伪造)攻击就是一种常见的网络安全问题。CSRF攻击是什么?所谓CSRF攻击,就是攻击者盗用了用户的身份,以用户的名义进行非法操作。通俗的讲,就是攻击者利用用户的登录态,在用户毫不知情的情况下,进行一些非法的操

PHP中的跨站请求伪造(CSRF)防御技术解析随着互联网的快速发展,网络安全问题日益突出。跨站请求伪造(CSRF)攻击是一种常见的网络安全威胁,它利用用户已登陆的身份信息,通过伪装的请求发送恶意操作,导致用户在不知情的情况下执行了恶意操作。在PHP开发中,如何防御CSRF攻击成为了一个重要的问题。CSRF攻击原理在了解如何防御CSRF攻击之前,先了解一下CS

PHP和Vue.js开发防御跨站请求伪造(CSRF)攻击的应用程序随着互联网应用程序的发展,跨站请求伪造(Cross-SiteRequestForgery,CSRF)攻击成为了一种常见的安全威胁。它利用用户已经登录的身份进行伪造请求,从而执行恶意操作,如修改用户密码、发布垃圾信息等。为了保护用户的安全和数据的完整性,我们需要在应用程序中实施有效的CSRF


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Zend Studio 13.0.1
Powerful PHP integrated development environment

Atom editor mac version download
The most popular open source editor

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Dreamweaver Mac version
Visual web development tools
