E
E
Eugenue Cesarevich2021-04-02 13:24:41
CSRF
Eugenue Cesarevich, 2021-04-02 13:24:41

How does CSRF work?

Something I do not quite understand CSRF protection. That is, the essence of protection is that we have an additional token that we send to the server with each request. I have two questions:

1. To send requests to the server, we embed a CSRF token in the form. What prevents an attacker from making exactly the same form, into which the CSRF token from our cookies will be inserted in the same way?

2. How do we make the very first request to the server (authentication) if we don't have a CSRF token yet? Or is authentication allowed without this token?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Denis Ineshin, 2021-04-02
@IonDen

CSRF token is different every time. The site loaded, a fresh one was substituted in the form. But if you copy it and try to use it from another place, it will immediately go bad.

S
Sergey delphinpro, 2021-04-02
@delphinpro

Did you read and understand everything here? https://learn.javascript.ru/csrf

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question