HTTPS protects data in transit<\/em>, but doesn\u2019t stop Cross-Site Request Forgery (CSRF) attacks. This guide shows how to add CSRF tokens to your web application running on HTTPS for better security.<\/p>\n Cross-Site Request Forgery lets an attacker trick a logged-in user into performing unwanted actions on a website. HTTPS encrypts communication, but doesn\u2019t verify the origin<\/em> of requests. A malicious site can still send valid requests to your server if the user is authenticated.<\/p>\n Generate Unique Tokens: Your server needs to create a unique, unpredictable token for each user session (or even per-form). This token will be included with sensitive forms.<\/p>\n Use a cryptographically secure random number generator. Include Token in Forms: Add a hidden field to every form that performs sensitive actions (e.g., changing passwords, making purchases). Validate Token on Server-Side: When the form is submitted, your server must<\/em> verify that the received token matches the one stored in the user\u2019s session.<\/p>\n Compare the submitted token with the session token. Example Python (Flask) Code: app = Flask(__name__) @app.route(‘\/login’, methods=[‘POST’]) @app.route(‘\/change-password’, methods=[‘POST’]) Cookie Considerations: While storing the token in a session is common, you can also store it in an HTTP-only cookie. This offers some protection against JavaScript access but requires careful handling of SameSite attributes.<\/p>\n Set SameSite=Strict or SameSite=Lax on your CSRF cookie to prevent cross-site requests from including the token. Double Submit Cookie Pattern: An alternative approach involves storing a random value in both a session and an HTTP-only, SameSite cookie. The server validates that both values match on form submission.<\/p>\n Testing Your Implementation:<\/p>\n Attempt to submit a valid form from your own website (should succeed). HTTPS is essential: CSRF protection works best when combined with HTTPS. The post CSRF Protection with HTTPS<\/a> appeared first on Blog | G5 Cyber Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" TL;DR HTTPS protects data in transit, but doesn\u2019t stop Cross-Site Request Forgery (CSRF) attacks. This guide shows how to add CSRF tokens to your web application running on HTTPS for better security. What is CSRF and Why it Matters Even with HTTPS Cross-Site Request Forgery lets an attacker trick a logged-in user into performing unwanted […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-6004","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6004"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6004"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6004\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What is CSRF and Why it Matters Even with HTTPS<\/h2>\n
Implementing CSRF Protection<\/h2>\n
\nStore the token securely on the server, associated with the user\u2019s session.<\/p>\n
\n<form action=”\/change-password” method=”post”>
\n <input type=”hidden” name=”csrf_token” value=”{{ session[‘csrf_token’] }}”>
\n … other form fields …
\n<\/form><\/p>\n
\nIf they don\u2019t match, reject the request immediately. Do not process it!
\nConsider regenerating the token after validation to prevent replay attacks.<\/p>\n
\nfrom flask import Flask, render_template, session, request
\nimport secrets<\/p>\n
\napp.secret_key = ‘your-secret-key’ # Change this!<\/p>\n
\n # … login logic …
\n session[‘csrf_token’] = secrets.token_hex(16) # Generate token on login
\n return render_template(‘home.html’)<\/p>\n
\n if request.form[‘csrf_token’] == session[‘csrf_token’]:
\n # Process password change
\n session[‘csrf_token’] = secrets.token_hex(16) # Regenerate token
\n return ‘Password changed!’
\n else:
\n return ‘CSRF Token Invalid’, 403<\/p>\n
\nEnsure the cookie is marked as HTTPOnly to protect against XSS attacks.<\/p>\n
\nAttempt to submit the same form from a different domain (should fail).
\nTry submitting a modified form with an incorrect token (should fail).<\/p>\nImportant Notes<\/h2>\n
\nToken Length: Use sufficiently long and random tokens to prevent guessing. 16 bytes (32 hex characters) is a good starting point.
\nSession Security: Protect your session management system from attacks like session fixation and hijacking.<\/p>\n