🎩Cross site request forgery (CSRF)

This is the way that hacker can create new website that has the same UI as us then the user may not know and use the hacker website. Next Hacker website will send request to our API. Another Scenario is when the hacker know about our API then they try to call our API.

Example (Case1)

Example (Case2)

How to Protect

Allow CORS (It is the policy that allow by default ) this CORS it will not allow cross origin to call then we need to specify which origin can call api *** should not allow all origin
Use CSRF token It will generate for our website when call to API as response only one time and everytime we call API , it require to send CSRF token in cookie (or other but set in cookie for safe with http only ) to validate whether the data is come from same site ?

CSRF token flow

PreviousCross site script (XSS)NextMan in the Middle (MITM)

Last updated 1 month ago