Add a page on CSRF by wbamberg · Pull Request #38151 · mdn/content

wbamberg · 2025-02-14T01:27:01Z

This PR adds a page on CSRF attacks.

It's potentially a replacement for https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention, and compared with that page:

explains in more concrete terms what a CSRF attack is and how it works
describes an alternative defense
describes in a bit more detail about the limitations of SameSite

github-actions · 2025-02-14T01:28:17Z

Preview URLs

External URLs (6)

URL: /en-US/docs/Web/Security/Attacks/CSRF
Title: Cross-site request forgery (CSRF)

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html (1 time) (Note! This may be a new URL 👀)
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-02 (1 time) (Note! This may be a new URL 👀)
https://docs.djangoproject.com/en/5.1/ref/csrf/ (1 time) (Note! This may be a new URL 👀)
https://owasp.org/ (1 time) (Note! This may be a new URL 👀)
https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions (1 time) (Note! This may be a new URL 👀)
https://www.djangoproject.com/ (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2025-03-12 21:30:24)

files/en-us/web/security/attacks/csrf/index.md

files/en-us/web/security/attacks/index.md

files/en-us/web/security/attacks/csrf/index.md

mozfreddyb

Really love this article. I found some nits and have a somewhat positive take on fetch metadata header such that I would argue to include them.

files/en-us/web/security/attacks/csrf/index.md

Co-authored-by: Frederik Braun <fbraun+gh@mozilla.com>

github-actions · 2025-03-17T23:08:18Z

Preview URLs

Flaws (3)

Note! 1 document with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/Security/Attacks/CSRF
Title: Cross-site request forgery (CSRF)
Flaw count: 3

broken_links:
- /en-US/docs/Web/HTTP/CORS#simple_requests is a redirect
- /en-US/docs/Web/HTTP/CORS is a redirect
- /en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value is a redirect

External URLs (6)

URL: /en-US/docs/Web/Security/Attacks/CSRF
Title: Cross-site request forgery (CSRF)

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html (1 time) (Note! This may be a new URL 👀)
https://docs.djangoproject.com/en/5.1/ref/csrf/ (1 time) (Note! This may be a new URL 👀)
https://owasp.org/ (1 time) (Note! This may be a new URL 👀)
https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions (1 time) (Note! This may be a new URL 👀)
https://web.dev/articles/fetch-metadata (1 time) (Note! This may be a new URL 👀)
https://www.djangoproject.com/ (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2025-03-21 01:12:41)

wbamberg · 2025-03-18T04:37:35Z

@mozfreddyb , I have attempted to address your comments. @hamishwillee you might also want a look to see if it still makes sense!

mozfreddyb · 2025-03-18T08:45:48Z

This looks much better now imho :-) For some reason I can't "resolve" comments that I supplied, maybe because I'm not a reviewer from within the mdn content project. I can do another review in the coming days, but it would help if you could resolve those that you consider fixed for us both to keep track of changes.

mozfreddyb

I can't formally approve: Only users with explicit access to this repository may approve pull requests.

But I approve of this anyway. 😁

files/en-us/web/security/attacks/csrf/index.md

Co-authored-by: Hamish Willee <hamishwillee@gmail.com>

files/en-us/web/security/attacks/csrf/index.md

hamishwillee · 2025-03-20T23:58:23Z

Still looks good to me. A couple of comments, but it is still approved (great to have the feedback from @mozfreddyb ).

Co-authored-by: Hamish Willee <hamishwillee@gmail.com>

mozfreddyb · 2025-03-21T07:50:11Z

In light of this merging, should https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention be removed? I'd lean to yes. This here was written as a replacement to it after all.

I think https://developer.mozilla.org/en-US/docs/Glossary/CSRF should link to the new article as well.

mozfreddyb · 2025-03-21T07:52:49Z

There's also https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#cross-site_request_forgery_csrf ... 🤷

wbamberg · 2025-03-21T15:58:00Z

Yes, I'm eventually going to get around to cleaning all that up!

* upstream/main: (172 commits) chore: improve code style guide (mdn#38715) fix: typo on `Error.isError()` page (mdn#38754) plural consistency (mdn#38747) fix: auto-cleanup by bot (mdn#38695) Synchronize with BCD v5.7.4 (mdn#38709) Add docs for JS self-profiling API (mdn#37796) Better SameSite docs (mdn#38710) Added missing explanation for Array Literals (mdn#38745) Add a page on CSRF (mdn#38151) Fix description of several Range methods (mdn#38518) Remove extraneous span (mdn#38696) Add a definition for media containers, improve how the media files are defined and Remove wrong information (mdn#38721) Move visited selector guide to CSS selectors module (mdn#38642) Make JSON learning article more technically precise (mdn#38644) Make translate3d() interactive example code valid (mdn#38647) Clarity on Safari support for custom elements (mdn#38727) feat(css): Link to learning doc about text direction (mdn#38719) Fix typo (mdn#38739) move guide to module: inline formatting context (mdn#38637) Fix CSS pseudo-class lists (mdn#38576) ...

* Add a page on CSRF * Update landing page * ... * fix glossary macros * Bits and pieces * typo * correct words * simpler example * undo simpler example * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Hamish Willee <hamishwillee@gmail.com> * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Hamish Willee <hamishwillee@gmail.com> * Update files/en-us/web/security/attacks/index.md Co-authored-by: Hamish Willee <hamishwillee@gmail.com> * Review comments * Expand on SameSite problems * Add defense summary checklist * Update files/en-us/web/security/attacks/csrf/index.md * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Hamish Willee <hamishwillee@gmail.com> * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Frederik Braun <fbraun+gh@mozilla.com> * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Frederik Braun <fbraun+gh@mozilla.com> * Shorten section on CORS * Use form submission as an example of top-level navigation * Recommend using both Lax and Strict * Add a bit on Fetch metadata * Better link for SameSite * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Hamish Willee <hamishwillee@gmail.com> * Update files/en-us/web/security/attacks/csrf/index.md * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Hamish Willee <hamishwillee@gmail.com> * Update files/en-us/web/security/attacks/csrf/index.md Co-authored-by: Hamish Willee <hamishwillee@gmail.com> --------- Co-authored-by: Hamish Willee <hamishwillee@gmail.com> Co-authored-by: Frederik Braun <fbraun+gh@mozilla.com>

Add a page on CSRF

a38d63b

github-actions bot added Content:Security Security docs size/m [PR only] 51-500 LoC changed labels Feb 14, 2025

wbamberg added 4 commits February 13, 2025 17:29

Update landing page

d201e2b

...

bc46410

fix glossary macros

e2a8269

Bits and pieces

493e8aa

wbamberg marked this pull request as ready for review February 14, 2025 19:28

wbamberg requested a review from a team as a code owner February 14, 2025 19:28

wbamberg requested review from chrisdavidmills and hamishwillee and removed request for a team February 14, 2025 19:28

wbamberg added 4 commits February 14, 2025 13:05

typo

9459dde

correct words

2f7d82e

simpler example

3dff110

undo simpler example

82e13f2

hamishwillee reviewed Feb 16, 2025

View reviewed changes

files/en-us/web/security/attacks/csrf/index.md Show resolved Hide resolved

hamishwillee reviewed Feb 17, 2025

View reviewed changes

files/en-us/web/security/attacks/csrf/index.md Outdated Show resolved Hide resolved

hamishwillee reviewed Feb 17, 2025

View reviewed changes

files/en-us/web/security/attacks/index.md Outdated Show resolved Hide resolved