5,442 questions
0
votes
0
answers
44
views
Why am I observing an unexpected behavior using github.com/utrack/gin-csrf
I'm using the github.com/utrack/gin-csrf package to implement CSRF protection in my web application and using. I'm observing an unexpected pattern using the simple go application in their repo.
Step 1 ...
- 157
1
vote
2
answers
75
views
Laravel Sanctum SPA Auth: 419 (unknown status) Token mismatch error
Problem
I am struggling with annoying 419 error trying to logout. The login and register are working fine. My api and spa are on the same top-level domain, but different ports
api - localhost:8000
spa ...
- 123
Best practices
1
vote
4
replies
85
views
JWT and CSRF tokens or just JWT token for security?
Good day peeps,
What's the purpose of having both a JWT and CSRF token stored in cookies?
If a malicious actor steals/performs a replay attack, they will be authorized and receive the same data as the ...
- 3
1
vote
1
answer
70
views
403 Forbidden: "CSRF Failed: CSRF token missing." on DRF api-token-auth/ after applying csrf_exempt
I'm encountering a persistent 403 Forbidden error with the detail:
CSRF Failed: CSRF token missing.
This happens when trying to obtain an authentication token using Django REST Framework's built-in ...
- 11
0
votes
1
answer
76
views
CSRF token could not be verified whenever server restarts
I use OCaml/Dream to create a simple HTML form (No sensitive data at all).
let form_page request =
let _csrf_token = Dream.csrf_token request in
Dream.html (Printf.sprintf {|
<form action="/...
- 789
0
votes
1
answer
66
views
gorilla/csrf in my Go API not sending headers to my Nuxt frontend after signup using OAuth, err: Invalid origin
Firstly, the OAuth flow, itself, works. After sign / login I create a session using gorilla/sessions and set the session cookie.
Now, since I use cookies as the auth mechanism, I thought it followed ...
0
votes
0
answers
87
views
Spring Boot CSRF/XSRF Token Validation Bypass
I'm facing an issue with my application which is allowing the user to change the X-XSRF-TOKEN and it's being validated in the backend.
For the context: I'm using Spring Boot 2.7.7 and Spring Security ...
- 1,585
1
vote
0
answers
52
views
Spring boot upgrade requires csrf token for miltipart file upload post request
We upgraded our spring boot application from 2.5.14 to 3.5.5, now POST requests for multipart file upload are failing with a 403 response. This is a service to service interface, no user login is ...
- 159
1
vote
1
answer
65
views
CSRF acting strange with springdoc in stateless service
Let's consider that I have a stateless service with an authentication mechanism that makes the browser automatically send the credentials which then makes even a stateless service vulnerable. I want ...
- 131
0
votes
0
answers
55
views
CSRF Vulnerability in nodejs
I was getting Missing CSRF Vulnerability in codeQL to fix that i implemented it , i am using both session base and auth base (Jwt)
STEP 1 - Installed Lusca and Enabled Sessions (CSRF needs them) - npm ...
- 23
0
votes
0
answers
23
views
working with CSRF Azure hosted React and DRF
We have react front end running as a web app in Azure
We have a DRF backend running in a container in Azure.
We are using cookies for authentication.
We have a postgres database on the backend.
We are ...
- 71
0
votes
0
answers
128
views
problem validating csrf token, server-side cookies undefined
I'm trying to validate the CSRF token but it's not working, it's giving me "403 forbidden: invalid CSRF token"
I disabled the double-CSRF protection and put some logs in my code and I've ...
1
vote
1
answer
616
views
CSRF Tokens in FastAPI/Starlette
I am building a FastAPI app serving Jinja2 templates and am a bit unsure on how to handle CSRF tokens. I have added Starlette's SessionMiddleware:
app.add_middleware(SessionMiddleware, secret_key=&...
- 65
1
vote
0
answers
19
views
OAuth 2.0 Connection Giving a CSRF Error (Using httr)
I am attempting to connect to the QuickBooks Online (QBO) API and when I try to connect I get this error in the browser:
The state query parameter is missing from the authorization request
And then ...
- 11
0
votes
3
answers
147
views
Can an attacker steal JavaScript local variables via XSS, CSRF, or other attacks? [closed]
There is a web page which does not use any cookies:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<script>
async function ...
- 1
0
votes
2
answers
130
views
Laravel Sanctum generates new XSRF-TOKEN for stateful API Requests
I use Laravel Sanctum to authorize SPA application requests (NuxtJS). In general, I understood the idea with the /sanctum/csrf-cookie endpoint and am already sending a request using axios, which ...
- 1
1
vote
0
answers
81
views
ruby cuba framework Cross Site Request Forgery(csrf)
Can someone explain me how to use in form and how to pass data to route with simple example...
<form>
{{ csrf.form_tag }}
</form>
- 39
0
votes
1
answer
50
views
laravel Cookies and session not setting on client's browser in production
working on a laravel project, Cookie and session stopped setting on client's browser in production but work on localhost.
every form submission is not getting to controller and returned 419 page ...
- 83
0
votes
2
answers
526
views
Why shouldn't I save CSRF tokens in session storage
I am new to webdevelopment and have written some tests in Playwright to test my webapplication. The tests are failing only on Webkit/safari, seemingly due to CSRF validation issues returning 403 ...
- 13
0
votes
0
answers
69
views
CSRF protection without CSRF tokens (rejecting x-www-form-urlencoded, using SameSite cookies, and making GET requests read-only)
Is it enough to prevent CSRF by rejecting x-www-form-urlencoded, using
SameSite=Strict cookies, and making GET requests read-only?
I'm trying to make sure my web application is fully protected ...
1
vote
1
answer
87
views
419 CSRF Error when adding enctype="multipart/form-data"
I am using Laravel. When adding enctype="multipart/form-data" in form it give CSRF error and when removing form submitting fine.
My php.ini file settings are:
max_execution_time=3600
...
0
votes
1
answer
73
views
CSRF token error when using multer with enctype="multipart/form-data" in Express.js
I am encountering a CSRF token error when submitting a form with file uploads using multer in an Express.js application. I am using enctype="multipart/form-data" to handle the file input, ...
0
votes
0
answers
59
views
CSRF token cookie not being set when calling Express API from Next.js server action (using csrf-csrf)
I'm developing an app with an Express backend protected by CSRF using the csrf-csrf package (Double Submit Cookie Pattern) and a Next.js frontend (using App Router and server actions). My refresh ...
- 21
0
votes
1
answer
116
views
Invalid CSRF token when calling microservices througth my Spring cloud gateway
I stuck on an issue in my Spring boot microservice application using Spring cloud gateway.
I have a microservice for authentication base on Keycloak exposing some api like register, login and so on.
...
0
votes
1
answer
158
views
Laravel Sanctum SPA Authentication Not Working with Next.js Frontend
Problem
I'm building an application with a Next.js frontend and Laravel backend using Sanctum for SPA authentication. When I login from the Next.js app, I can see the authentication cookies being set ...
0
votes
0
answers
57
views
How to send CSRF token using Django API and a Flutter-web frontend ? HeaderDisallowedByPreflightResponse [duplicate]
I have a python/django web API with a single endpoint, let's call it /api/v1/form. That API is called from a Flutter-web frontend application. I currently use the following configuration that disables ...
- 549
1
vote
0
answers
45
views
How does PKCE protect against CSRF attacks?
It's unclear to me how PKCE will fundamentally protect against CSRF attacks. If I'm logged in as an authorized user, and click a malicious link to "change the state" of my application, how ...
- 11
0
votes
0
answers
48
views
How to implement CSRF security in Java Spring WebFlux without a seperate CSRF endpoint?
I am using Java Spring WebFlux and I want to implement CSRF security. I am curious what the best practises are nowadays, seeing so many different answers.
I'm especially interested in checking if it's ...
- 13.5k
0
votes
0
answers
65
views
How can I set a CSRF cookie as a server cookie in NextJS to send it to ExpressJS backend?
About my architecture:
I have a backend with Express.js and a frontend with Next.js.
I have massive problems with my CSRF cookie. I create it in Express.js and send it to Next.js (Client). Here it is ...
- 11
0
votes
0
answers
31
views
Handling in a reverse proxy configuration, status code 419 is replaced with 500
Local Development Environment.
I have touched a little the template file with which the nginx configurations are generated, the result is the following:
# from nginxproxy/nginx-proxy
# uknp.dock/
...
0
votes
1
answer
95
views
What is having the csrf_access_token in Flask JWT Extended in a cookie considered secure?
I have my logins and logout working....what I don't understand is how having the CSRF in the cookie being "secure".... I guess I'm mising the punchline as how this is secure as both are in ...
- 1,489
0
votes
0
answers
76
views
Getting 401 when attempting to signup or login in django allauth react-spa example
I am very new to using Django-laugh, and I want to integrate it with my Django backend. I was trying to use the react-spa example outlined in the docs https://react.demo.allauth.org/, but I got a 401 ...
1
vote
1
answer
105
views
Do we have to set headers in AJAX requests for CSRF Protection?
I am using inline JQuery to POST to a url on my site so that I can include a CSRF token via a PHP variable. I've been trying to find an answer but can't seem to find it, I just keep finding questions ...
- 11
1
vote
0
answers
34
views
CSRF protection in node
So I am developing a small auth-module for an application of mine, mainly to learn how session based auth really works.
I thought it would be cool if it could also provide csrf protection, so I kinda ...
- 11
0
votes
0
answers
235
views
Is having a CSRF with FastAPI any safer than not?
I've just read this article about Flask and using Svelte frontend with a separate API specifically the section calledFrontend Served Separately (cross-domain)
They are creating a CSRF cookie and ...
- 3,326
0
votes
0
answers
40
views
Django CsrfViewMiddleware and exploited SubDomain
Context (Double Submit Cookie and Subdomains):
When using a CSRF token with a cookie for the Double Submit Cookie method, you have to ensure the client receiving the cookie can read this cookie, and ...
- 1
0
votes
1
answer
181
views
How to write Spring webflux integration test using CSRF
I am using reactive Spring Boot 3.4.3 with webflux. For easier setup, CSRF has been disabled .csrf(ServerHttpSecurity.CsrfSpec::disable). Then I turn it on in this way (because of expected integration ...
- 1,902
1
vote
1
answer
51
views
How can I mock $csrfFetch in Vitest?
In my app, I use the nuxt-csurf module.
Meaning, I have to use useCsrfFetch and $csrfFetch.
This works fine during manual testing, but in Vitest I need to mock these functions.
I have tried:
vi.mock('....
- 21
0
votes
0
answers
68
views
Testing a flask-WTForms app that uses csrf token (pytest)
I have a flask app based on the tutorial here https://flask.palletsprojects.com/en/stable/tutorial/. The tutorial comes with a test suite but having adapted the app to use WTForms the tests that post ...
- 1,959
0
votes
0
answers
20
views
XSRF token in tornado web ssh
My frontend is on a different domain than the WebSSH server (running on the Tornado framework), and Im encountering an issue with the XSRF token. Since the XSRF token is not delivered through a ...
- 23
0
votes
0
answers
82
views
Getting "ForbiddenError: invalid csrf token" with doubleCsrf in Express.js
I'm having an issue with doubleCsrf in my Express.js backend, and I keep getting the following error on every request:
ForbiddenError: invalid csrf token
at doubleCsrf (file:///Users/admin/...
- 29
2
votes
0
answers
99
views
Embedding a Web Application Using an Iframe
I have a Django application (A), and one of my clients wants to embed it within their application (B) using an iframe. The client application can be built with any framework, and we have no control ...
0
votes
0
answers
82
views
How to fix CSRFToken headers and CORS issues in React + Django website
I have an application running with react as the frontend and django (with all-auth) as the backend. When I use an online hosting service, I get the following issues:
TypeError: NetworkError when ...
1
vote
0
answers
31
views
Passing CSRF token through Dart html parsing
I'm making an app where students can login to there portal website and it shows their data, however I'm having trouble authenticated users, when I did this project on another website I used ...
- 11
0
votes
1
answer
299
views
Django CSRF Token Suddenly Stopped Working
I've been programming a Django application for over a year now. I got the CSRF token working fine in the beginning and there haven't been any problems since. But now, it's suddenly stopped working, ...
0
votes
0
answers
61
views
Is it possible to request XML with HTML without browser
I have a DLink DWR-921 router that works with mobile internet. It has an admin page http://ipaddress/sys_smsmsg.htm that allows to send sms via the SIM card that feeds the router. I am trying to ...
- 108
0
votes
0
answers
40
views
CSRF Token Failure and 404 not found
I am developing a React app with Django REST Framework as backend and hosting both on Heroku. When registering or logging in via the frontend, I get a 404 Not Found error for the CSRF token endpoint:
...
0
votes
0
answers
46
views
Ajax call with CSRF protection 403 forbidden CI4
I am working on translating a page from Codeigniter 3 to Codeigniter 4, and have session based CSRF protection enabled in CI4. For some reason, even though I can see the CSRF name and CSRF hash in ...
- 87
0
votes
0
answers
21
views
Excluding csrf_token while using application factory for some routes
I am using an application factory and running into trouble excluding some routes from csrf_token. The csrf exexmpt works for the entire crud_bp. But how would I exclude only certain routes. I have ...
- 718
0
votes
0
answers
49
views
Invalid CSRF Nodejs React
I have a Nodejs app with React in front. I implemented my csrf like:
// initial-csrf.js
var csrf = require("csurf");
const csrfProtection = csrf({});
module.exports = {
csrfProtection,
};...
- 333