What are the CSRF defense methods?
csrf defense methods include: 1. Verify the HTTP Referer field; 2. Add token to the request address and verify it; 3. Customize attributes in the HTTP header and verify it. CSRF is an attack method that coerces users to perform unintended operations on the web application they are currently logged in to.
csrf is an attack method that coerces users to perform unintentional operations on the currently logged-in web application.
csrf defense method:
There are currently three main strategies to defend against CSRF attacks:
1. Verify the HTTP Referer field;
2. In the request address Add token and verify;
3. Customize attributes in HTTP header and verify.
Let’s talk about it in detail:
(1) Verify the HTTP Referer field
According to the HTTP protocol, there is a field in the HTTP header called Referer, which records the source address of the HTTP request. Typically, requests to access a secure restricted page originate from the same website. If a hacker wants to implement a CSRF attack on a bank's website, he can only construct a request on his own website. When a user sends a request to the bank through the hacker's website, the Referer of the request points to the hacker's own website.
Therefore, to defend against CSRF attacks, the bank website only needs to verify its Referer value for each transfer request. If it is a domain name starting with bank.example, it means that the request is from the bank website itself. Yes legal. If the Referer is another website, it may be a CSRF attack by a hacker and the request will be rejected.
The obvious benefit of this method is that it is simple and easy to implement. Ordinary developers of the website do not need to worry about CSRF vulnerabilities. They only need to add an interceptor to all security-sensitive requests at the end to check the Referer value. can. Especially for the current existing system, there is no need to change any existing code and logic of the current system, there is no risk, and it is very convenient.
(2) Add token to the request address and verify
The reason why the CSRF attack can be successful is because the hacker can completely forge the user's request, and all the requests in the request All user authentication information exists in cookies, so hackers can directly use the user's own cookies to pass security verification without knowing the authentication information.
To resist CSRF, the key is to put information in the request that hackers cannot forge, and this information does not exist in cookies. You can add a randomly generated token as a parameter to the HTTP request, and create an interceptor on the server side to verify the token. If there is no token in the request or the token content is incorrect, it is considered that it may be a CSRF attack and the request will be rejected. .
(3) Customize attributes in the HTTP header and verify
This method also uses tokens and performs verification. The difference from the previous method is that here Instead of putting the token as a parameter in the HTTP request, it puts it in a custom attribute in the HTTP header. Through the XMLHttpRequest class, you can add the csrftoken HTTP header attribute to all requests of this type at once, and put the token value into it.
This solves the inconvenience of adding token to the request in the previous method. At the same time, the address requested through XMLHttpRequest will not be recorded in the browser's address bar, and there is no need to worry about the token being leaked to other websites through the Referer. Go in.
However, this method has great limitations. The XMLHttpRequest request is usually used for partial asynchronous refresh of the page in the Ajax method. Not all requests are suitable to be initiated with this class, and the page obtained through this class request cannot be recorded by the browser, so that forward, backward, and refresh can be performed. , collection and other operations bring inconvenience to users.
In addition, for legacy systems that do not have CSRF protection, if you want to use this method for protection, you must change all requests to XMLHttpRequest requests. This will almost rewrite the entire website, which is undoubtedly costly. It's unacceptable.
If you want to know more related issues, you can visit php Chinese website.
The above is the detailed content of What are the CSRF defense methods?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Cross-site scripting (XSS) and cross-site request forgery (CSRF) protection in Laravel
Aug 13, 2023 pm 04:43 PM
Cross-site scripting (XSS) and cross-site request forgery (CSRF) protection in Laravel With the development of the Internet, network security issues have become more and more serious. Among them, Cross-SiteScripting (XSS) and Cross-SiteRequestForgery (CSRF) are one of the most common attack methods. Laravel, as a popular PHP development framework, provides users with a variety of security mechanisms
Prevent injection attacks: Java security control methods
Jun 30, 2023 pm 05:16 PM
Java is a widely used programming language used to develop various types of applications. However, due to its popularity and widespread use, Java programs have also become one of the targets of hackers. This article will discuss how to use some methods to protect Java programs from the threat of command injection attacks. Command injection attack is a hacking technique that performs uncontrolled operations by inserting malicious commands into input parameters. This type of attack can allow hackers to execute system commands, access sensitive data, or gain system privileges. In order to prevent this
HTTP request sniffing defense method in Nginx reverse proxy
Jun 11, 2023 am 08:12 AM
With the development of the Internet, web servers and applications have become more and more complex, and security attacks have gradually increased. Nginx is one of the most widely used tools in web servers and load balancing technology. Nginx's reverse proxy mechanism can make it a reliable application server, but it is also a widely attacked target. In this article, we will explore how to defend against HTTP request sniffing attacks in Nginx reverse proxy. What is an HTTP request sniffing attack? HTTP request sniffing attacks are a common
Comparative analysis of PHP Session cross-domain and cross-site request forgery
Oct 12, 2023 pm 12:58 PM
Comparative analysis of PHPSession cross-domain and cross-site request forgery With the development of the Internet, the security of web applications has become particularly important. PHPSession is a commonly used authentication and session tracking mechanism when developing web applications, while cross-domain requests and cross-site request forgery (CSRF) are two major security threats. In order to protect the security of user data and applications, developers need to understand the difference between Session cross-domain and CSRF, and adopt
PHP Framework Security Guide: How to Prevent CSRF Attacks?
Jun 01, 2024 am 10:36 AM
PHP Framework Security Guide: How to Prevent CSRF Attacks? A Cross-Site Request Forgery (CSRF) attack is a type of network attack in which an attacker tricks a user into performing unintended actions within the victim's web application. How does CSRF work? CSRF attacks exploit the fact that most web applications allow requests to be sent between different pages within the same domain name. The attacker creates a malicious page that sends requests to the victim's application, triggering unauthorized actions. How to prevent CSRF attacks? 1. Use anti-CSRF tokens: Assign each user a unique token, store it in the session or cookie. Include a hidden field in your application for submitting that token
CSRF attack in PHP
May 25, 2023 pm 08:31 PM
With the continuous development of the Internet, there are more and more web applications. However, security issues are also attracting more and more attention. CSRF (CrossSiteRequestForgery, cross-site request forgery) attack is a common network security problem. What is a CSRF attack? The so-called CSRF attack means that the attacker steals the user's identity and performs illegal operations in the user's name. In layman's terms, it means that the attacker uses the user's login status to perform some illegal operations without the user's knowledge.
What is Cross-Site Request Forgery (CSRF) and how do you implement CSRF protection in PHP?
Apr 07, 2025 am 12:02 AM
In PHP, you can effectively prevent CSRF attacks by using unpredictable tokens. Specific methods include: 1. Generate and embed CSRF tokens in the form; 2. Verify the validity of the token when processing the request.
PHP and Vue.js develop applications that defend against cross-site request forgery (CSRF) attacks
Jul 05, 2023 pm 07:21 PM
PHP and Vue.js develop applications that defend against cross-site request forgery (CSRF) attacks. With the development of Internet applications, cross-site request forgery (CSRF) attacks have become a common security threat. It uses the user's logged-in identity to make forged requests to perform malicious operations, such as changing user passwords, publishing spam, etc. To protect the security of our users and the integrity of our data, we need to implement effective CSRF in our applications
