How to protect against CSRF

#1

Any request that include a valid session token is able to perform a query on the behalf of the user who the session token belongs to. Therefore being susceptible to CSRF attacks are a real possibility.

A malicious websites could extract such data from session storage and then replicate that user, or redirect to the site and perform actions on behalf of that user.

Has anyone implemented C-Surf or something similar to ensure that the request is coming from a valid origin? How could we implement some sort of protection in Parse Server?

See here for node examples of this: https://www.twilio.com/blog/2018/01/protect-your-node-js-app-from-cross-site-request-forgery.html

#2

For guidance on how to implement CSRF, you can look at the parse-dashboard

#3

So you think this is a pattern that could be implemented on each XHR request or is there significant performance overhead of performing this checking in addition to session token checking?

I expect that it failed then you would destroy the session token as it’s being uses elsewhere.

Thanks for getting back to me btw - the example is a big help :slight_smile:

#4

i haven’t really given it enough thought to know.

I have implement CSRF for web frameworks before. statefulness is required, so in a distributed environment, there will be some overhead, but that’s true of most useful things. If you want to protect against replay attacks, then this is the cost. it should be able to be implemented quickly with redis or some such.

1 Like