☀️
Dev7Days
  • 😄Welcome
  • Local Setup
    • ⚙️Setup Terminal
    • ⚙️Setup IDE
    • ⚙️Setup Neovim
  • Rust
    • 🦀Cargo
  • Java
    • 🍃Spring Boot
      • Spring Boot Annotaion
      • Spring Boot Learning
    • 🍃JDK vs JRE vs JVM
    • 🍃What is JDBC ?
    • 🍃What is Data Source in Java ?
    • 🍃Check vs Unchecked Exception
    • 🍃What is Servlet in Java ?
    • 🍃Filter vs Interceptor
    • 🍃Mockito
    • 🍃Maven CLI
    • 🍃Maven Archetype
  • Go
    • 🔹Go Routine and Channel
    • 🔹Go CLI
  • Ruby and Rails
    • ♦️Ruby Syntax
    • ♦️Rails Framework
    • ♦️Rails Structure
  • Fundamental
    • 📚Git Command
    • 📚Interpreter vs Compiler
    • 📚DTO vs DAO
    • 📚Http Status
    • 📚What is Batch Process ?
    • 📚Https
    • 📚Local Storage vs Session Storage vs Cookies
    • 📚Authentication & Authorization
    • 📚Database Index
    • 📚What is GRPC ?
    • 📚What is Microservice ?
  • Database
    • 🗃️What is Transaction ?
    • 🗃️ACID
  • Postgres
    • 🐘SELECT
    • 🐘Column Alias
    • 🐘Order By
    • 🐘SELECT DISTINCT
  • Elastic Search
    • 🔍What is Elastic Search ?
    • 🔍Node and Cluster
  • Kubernetes
    • ☸️What is Kubernetes ?
    • ☸️Kubernetes Architecture
      • Node
      • ETCD
      • Kube API Server
      • Controller Manager
      • Kube Scheduler
      • Kubelet
      • Kube Proxy
  • ☸️Pod
  • ☸️ReplicaSet
  • ☸️Deployment
  • ☸️Service
  • ☸️Config Map
  • ☸️Namespaces
  • ☸️Kube Apply Command
  • ☸️Scheduling
    • Manual Scheduling
    • Labels and Selectors
    • Taints and Tolerations
    • Node Selector
    • Node Affinity
    • Resource Requirements and Limits
    • DaemonSets
    • Static Pods
    • MultipleSchedulers
  • ☸️Monitoring
  • AWS
    • 🔸How can users access AWS ?
    • 🔸IAM
    • 🔸EC2
      • User Data
      • Instance Types
      • Security Group
      • Purchasing Options
      • Placement Groups
      • Elastic Network Interface (ENI)
      • EC2 Hibernate
      • EC2 Storage
    • 🔸ELB & ASG
      • Health Checks
      • Target Group
      • ELB Types
      • Sticky Sessions
      • Cross Zone Load Balancing
      • Load Balancer - SSL and SNI
      • Deregistration Delay
      • ASG
    • 🔸RDS & Aurora DB
      • RDS
        • Storage Auto Scaling
        • Read Replica
        • Multi AZ
        • RDS Custom
        • Backup
        • RDS Proxy
      • AWS Aurora
        • Read Replica
        • Endpoint and Auto Scaling
        • Aurora Serverless
        • Global Database
        • Machine Learning
        • Backup
        • Database Cloning
      • RDS & Aurora Restore options
      • RDS & Aurora Security
    • 🔸Elastic Cache
    • 🔸Route 53
      • Records
      • Hosted Zones
      • Health Check
      • Routing Policies
  • Backend Security
    • 🎩SQL Injection
    • 🎩Cross site script (XSS)
    • 🎩Cross site request forgery (CSRF)
    • 🎩Man in the Middle (MITM)
    • 🎩Insecure Direct Object Reference (IDOR)
    • 🎩Distributed denial of service (DDOS)
  • Medium
    • 👨‍💻Gamer to Coder
    • 🐳Docker
      • Docker #1
      • Docker #2
    • 💊DI and IOC
    • ☸️Kubernetes
  • Book
    • 📚System Design Interview - An Insider's Guide (Volume 1
Powered by GitBook
On this page
  1. Backend Security

Cross site request forgery (CSRF)

PreviousCross site script (XSS)NextMan in the Middle (MITM)

Last updated 5 months ago

This is the way that hacker can create new website that has the same UI as us then the user may not know and use the hacker website. Next Hacker website will send request to our API. Another Scenario is when the hacker know about our API then they try to call our API.

Example (Case1)

Example (Case2)

How to Protect

  1. Allow CORS (It is the policy that allow by default ) this CORS it will not allow cross origin to call then we need to specify which origin can call api *** should not allow all origin

  2. Use CSRF token It will generate for our website when call to API as response only one time and everytime we call API , it require to send CSRF token in cookie (or other but set in cookie for safe with http only ) to validate whether the data is come from same site ?

CSRF token flow

🎩
Drawing
Drawing
Drawing