What are the CSRF defense methods?

csrf defense methods include: 1. Verify the HTTP Referer field; 2. Add token to the request address and verify it; 3. Customize attributes in the HTTP header and verify it. CSRF is an attack method that coerces users to perform unintended operations on the web application they are currently logged in to.

csrf is an attack method that coerces users to perform unintentional operations on the currently logged-in web application.

csrf defense method:

There are currently three main strategies to defend against CSRF attacks:

1. Verify the HTTP Referer field;

2. In the request address Add token and verify;

3. Customize attributes in HTTP header and verify.

Let’s talk about it in detail:

(1) Verify the HTTP Referer field

According to the HTTP protocol, there is a field in the HTTP header called Referer, which records the source address of the HTTP request. Typically, requests to access a secure restricted page originate from the same website. If a hacker wants to implement a CSRF attack on a bank's website, he can only construct a request on his own website. When a user sends a request to the bank through the hacker's website, the Referer of the request points to the hacker's own website.

Therefore, to defend against CSRF attacks, the bank website only needs to verify its Referer value for each transfer request. If it is a domain name starting with bank.example, it means that the request is from the bank website itself. Yes legal. If the Referer is another website, it may be a CSRF attack by a hacker and the request will be rejected.

The obvious benefit of this method is that it is simple and easy to implement. Ordinary developers of the website do not need to worry about CSRF vulnerabilities. They only need to add an interceptor to all security-sensitive requests at the end to check the Referer value. can. Especially for the current existing system, there is no need to change any existing code and logic of the current system, there is no risk, and it is very convenient.

(2) Add token to the request address and verify

The reason why the CSRF attack can be successful is because the hacker can completely forge the user's request, and all the requests in the request All user authentication information exists in cookies, so hackers can directly use the user's own cookies to pass security verification without knowing the authentication information.

To resist CSRF, the key is to put information in the request that hackers cannot forge, and this information does not exist in cookies. You can add a randomly generated token as a parameter to the HTTP request, and create an interceptor on the server side to verify the token. If there is no token in the request or the token content is incorrect, it is considered that it may be a CSRF attack and the request will be rejected. .

(3) Customize attributes in the HTTP header and verify

This method also uses tokens and performs verification. The difference from the previous method is that here Instead of putting the token as a parameter in the HTTP request, it puts it in a custom attribute in the HTTP header. Through the XMLHttpRequest class, you can add the csrftoken HTTP header attribute to all requests of this type at once, and put the token value into it.

This solves the inconvenience of adding token to the request in the previous method. At the same time, the address requested through XMLHttpRequest will not be recorded in the browser's address bar, and there is no need to worry about the token being leaked to other websites through the Referer. Go in.

However, this method has great limitations. The XMLHttpRequest request is usually used for partial asynchronous refresh of the page in the Ajax method. Not all requests are suitable to be initiated with this class, and the page obtained through this class request cannot be recorded by the browser, so that forward, backward, and refresh can be performed. , collection and other operations bring inconvenience to users.

In addition, for legacy systems that do not have CSRF protection, if you want to use this method for protection, you must change all requests to XMLHttpRequest requests. This will almost rewrite the entire website, which is undoubtedly costly. It's unacceptable.

If you want to know more related issues, you can visit php Chinese website.

The above is the detailed content of What are the CSRF defense methods?. For more information, please follow other related articles on the PHP Chinese website!