4,756 questions
0
votes
0
answers
9
views
CSRF Failed: CSRF token missing
I am writing my code in django python, Here is my view.py
@csrf_exempt
@api_view(['POST'])
def Userlogin1(request):
print('login working')
username = request.data.get('username')
password =...
0
votes
0
answers
16
views
MSAL JWT Token in session/localStorage and Token Cookie
I am working in the FE with React and BE with Hasura.
Since I am using azure for authentication I used the Microsoft Authentication Library (MSAL) with msal.js and acquireTokenSilent for React.
...
- 1,027
-1
votes
0
answers
30
views
CSRF Attack - Get Request
I came across a situation where an account deletion endpoint on a web application can be triggered by a simple GET request. I'm not sure whether this is a security vulnerability or not, so I’m looking ...
- 102
-1
votes
1
answer
20
views
What is the point of using jwt(http-only cookie) and csrf token(not http-only cookie)?
As far as I understood, I need protection against csrf attacks when I use jwt by storing them in http-only cookies.
So that when a user visits a malicious site and a request to my server is made from ...
- 31
0
votes
0
answers
25
views
I can't get rid of CSRF checks [duplicate]
First of all, I know how necessary csrf is and what disasters will happen to me if I don't use it, I have read enough about it.
I want to disable csrf checks by taking all kinds of risks.
I have a ...
- 191
0
votes
0
answers
17
views
jinja2.exceptions.UndefinedError: 'form' is undefined error when rendering template with Flask and Flask-WTF
I am working on a Flask application, and I'm encountering an error when trying to render the teacher_dashboard.html template. The error occurs when trying to display the CSRF token in the template ...
user28446245
1
vote
1
answer
17
views
Should the csrf template tag be used in a Search form?
I have a django view that allows a user to search and get data from a database. No changes are made to the database. I also realized that the csrf token shows up in the url. I searched online and read ...
- 319
0
votes
1
answer
54
views
Why am I getting a 403 Forbidden error when making a POST request to the login API in Vue.js?
I'm working on a Vue.js application where users can log in through an API using the axios library. However, when I send a POST request to the API endpoint, I'm getting a 403 Forbidden response.
Here's ...
0
votes
0
answers
94
views
connect.sid cookie is not being created, req.session generates a new sessionID on every request, something is wrong with my CSRF implementation
What is expected?
I hit the GET /csrf/token endpoint from my frontend
A new csrf token is generated as no cookie is set yet
This csrf token is saved to redis store via connect-redis and connect.sid ...
- 6,208
1
vote
0
answers
16
views
CSRF Token won't be set unless the server sends a response. But CSRF token needed to make a request inside nuxtServerInit? How to handle this case?
Backend
Take this express backend server
const app = express();
app.use(rTracer.expressMiddleware());
app.use(requestLogger);
app.use(
cors({
credentials: true,
origin: getAllowedOrigins,
...
- 6,208
1
vote
1
answer
50
views
Should I store CSRF token in my client Java app?
I have a REST API Spring Boot application (called app "A"). It calls another API (called "B").
"B" is OAuth2 secured and requires CSRF token for POST/PUT/DELETE.
Every &...
- 21
0
votes
1
answer
61
views
Spring Webflux Security not attaching CSRF cookie after logging in via Google Oauth2
I'm implementing a simple Sign-In via Google Oauth2 for my Spring Webflux backend and ReactJS frontend. For now I'm just trying to get the API working and test it with an OpenAPI swagger page.
I've ...
- 1,599
0
votes
1
answer
34
views
Unable handle the Csrf-Token for GET request in Django
In Django framework, When it was a POST request, if you modify the Cookie CSRF token, its throws the 403 error. But when it was a GET request, I tried to modify the Cookie CSRF-token, and it returned ...
0
votes
0
answers
48
views
Django + React on GPC Cloud Run, post request comes back with a 403 error
I'm attempting to submit a post request for a payment with Stripe. Despite trying many solutions on stackoverflow / reccomendations from CGPT my axios post request is still getting 403 blocked.
I'm ...
1
vote
1
answer
58
views
Why is Spring Security setting CSRF cookie with SameSite=None attribute?
I have a Springboot application with Spring Security 6 and a single page application for frontend (Vue). I configured anti-CSRF using the exact same config as the one described in the documentation. ...
- 1,968
0
votes
0
answers
30
views
CSRF Warning: Token Exchange Failed with mismatching_state using Flask-Dash Auth0 inside React iFrame
I'm working on a Python Dash project with Flask and Auth0 for authentication. The project works fine when accessed directly. However, when I load it inside a React project using an iframe, I encounter ...
- 2,220
0
votes
0
answers
39
views
Spring security CSRF integration: question about the mobile application documentation example
I don't understand the CSRF integration for mobile application presented in Spring Security documentation.
It is proposed to provide a GET /csrf endpoint for the client to get a CSRF token and reuse ...
- 1,968
0
votes
1
answer
47
views
Blank Pages and Responses when using OWASP CSRF Guard
I am trying to implement the OWASP CSRF Guard in a web application that I am updating (written in Java 17, running on a tomcat 10.1.25 server). We had been using the ESAPI library, but since we only ...
- 61
0
votes
0
answers
53
views
Trying to build a news scraper, but can't access the Wall Street Journal site
Trying to build a news scraper, but can't access the Wall Street Journal site. I have got the subscription to the site as well as my CSRF Token, however, I still get denied access. I tried contacting ...
-1
votes
1
answer
98
views
CSRF and JWT With Sping Security 6 Stateless REST
I have a question about how to incorporate JWT tokens with CSRF protection when integrating with the Angular framework and Spring security 6. While there numerous posts on whether to use both CSRF ...
- 471
2
votes
1
answer
100
views
Spring Security 6.2.1 + Vue.js 3 (axios) : Invalid CSRF Token in POST request (code 403)
I'm creating a Single Page application with Spring and Vue, but I cannot get the anti-csrf protection to work. I followed what this topic suggests but the CSRF token isn't found with any name (_csrf, ...
- 31
1
vote
0
answers
55
views
Spring Security CSRF protection customization on Reactive WebFlux applications
I'm working on a microservices architecture that combines servlet and reactive Spring Boot applications; these are deployed on a K8S cluster, and each microservice exposes the Spring Actuator ...
- 1,274
0
votes
0
answers
26
views
Angular+Django how to access cookie under different domain
This is a follow up to my previous question (Angular+Django CSRF token not being saved as cookie) since I understand the underlying problem now.
I have a Angular and Django setup and I am trying to ...
- 3
0
votes
0
answers
41
views
CSRF Token enabled in keycloak by default?
We ran DAST and VAPT on keycloak, the report says CSRF not implemented. we don’t find CSRF token in headers and in request. the question is if this enabled where we can find CSRF Token, if not how to ...
- 159
1
vote
1
answer
111
views
Best way to automatically add CSRF Token to Spring Boot JTE main template
I like the new template engine JTE and I am trying to learn this.
I know I can manually add the CSRF token as a request attribute and I have done it for my login form like so:
@GetMapping("/login&...
- 248
0
votes
1
answer
36
views
Oauth2. How does server understand 'state' is belonging to a valid public client?
I am trying to understand how exactly state benefits Oauth flow by preventing CSRF. I just don't understand what the client server is comparing the state in the URL to. I have seen such an example:
...
- 1,091
0
votes
0
answers
24
views
Automatic unsafe authorization with React Native
I am trying to create a simple login/out functionality for my customer's app with React Native. Login functionality is structured by the following rules:
Initial login should be implemented with ...
0
votes
0
answers
28
views
getting logout from my project without validating csrf token still using its middleware
I am getting logout from current laravel project when i run below script on my browser with
<form action="http://127.0.0.1:8000/logout" method="POST"> -here you can change ...
1
vote
1
answer
89
views
Flask and CSRF tokens
I'm trying to use csrf tokens with my Flask app, but I noticed after a little bit of the site being open(1 hour), it wouldn't work unless I reloaded, so I did a little testing and found out its ...
- 327
1
vote
1
answer
140
views
Laravel 419 Error on Login Request Despite XSRF-TOKEN Present in Cookies
I’m building a Laravel 11 application and handling login requests with Axios. I'm encountering a 419 error when trying to log in, even though the laravel-session and XSRF-TOKEN cookies are present in ...
- 1,084
0
votes
0
answers
94
views
CORS - CSRF token Mismatch with Laravel 11 Sanctum & React on Different Domains
I’m working on a Laravel 11 backend (https://backend.com) with Sanctum for authentication, and a React frontend hosted on a different domain (https://frontend.vercel.app). I’m encountering a CSRF ...
0
votes
1
answer
48
views
How to get csrf token in vue component from laravel using stripe
I have problem with getting redirected correctly to payment method. I'm using laravel 10 as backend and vue3 as frontend. I'm getting error message: Cross-Origin Request Blocked: The Same Origin ...
- 3
0
votes
0
answers
59
views
WordPress AJAX returning 'Invalid JSON response' after sending data to external API with wp_remote_post
I'm working on a WordPress-based project that involves sending data via an AJAX request to a Lambda function using the wp_remote_post() method. The request includes JWT authentication and CSRF token ...
- 445
0
votes
0
answers
37
views
What is the correct way to generate/validate an Okta "state" parameter aka CSRF?
I am integrating OKTA authentication in my app, and saw in their docs:
Okta requires the OAuth 2.0 state parameter on all requests to the
/authorize endpoint to prevent cross-site request forgery (...
- 9,690
0
votes
1
answer
202
views
XSRF Token missing from POST request after deployment to Cloud Run
Using Laravel 11, Inertia & React -> Docker Image -> Cloud Run
After opening the app on / I get redirected to /login as expected.
Inspecting the network requests up to that point, X-XSRF ...
0
votes
0
answers
38
views
CSRF token mismatch after a 3DS redirect from a checkout form
I am processing a transaction using a normal HTML form in Laravel.
Everything works fine until the transaction has to pass 3ds verification.
When I post the transaction information I provide a ...
- 764
0
votes
0
answers
55
views
How to preserve user session in rails backend when deactivating csrf
I am migrating the front part of an application React + RoR.
I have separated one of the React components and deployed it into a vercel host, wrapped it up with Next.js, and I am now using vercel ...
- 629
0
votes
1
answer
60
views
Enabling and configuring csrf for spring boot 3.2 with custom front-end client defined in formLogin().loginPage()
I am trying to properly configure and enable csrf for my springboot application with react frontend. I would like to know how do I set the XSRF-TOKEN in the cookie before I make a post call to the ...
1
vote
1
answer
56
views
Django in Azure - CSRF Errors for existing URL in CSRF_TRUSTED_ORIGINS list
Deployed as web app in Azure and added my custom purchased domain name, lets call it 'i-heart-java.com'. I added the URL into the ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS lists, both as https and http, ...
- 31
1
vote
0
answers
131
views
Nuxt3 with Laravel 11 and Sactum Auth CSRF Error
Everything I try is not working with my auth script from Laravel 11 and Nuxt 3.
I installed sanctum and configure the cors config like in every tutorial. But somehow the CSRF token can't be ...
0
votes
0
answers
53
views
How to use custom headers for passing session_id and csrf_token in Django with database-backed sessions?
I'm using Django with a database-backed session storage, and as a result, the session_id is stored in cookies.
However, we're using a Caddy server that removes cookies from the request headers.
I need ...
- 11
-1
votes
1
answer
67
views
Symfony logout error "Invalid CSRF token."
I have default setting in security.yaml
logout:
# The route name the user can go to in order to logout
path: logout
# The name of the route to redirect to after logging out
...
- 47
0
votes
0
answers
20
views
How to Handle CSRF for iFrames in Django with Multiple Whitelabel Sites Without Using a Domain Whitelist?
I’m building a whitelabel solution using Django, where my clients can embed forms from my application within their websites using iFrames. However, I’m running into a problem with CSRF protection when ...
- 329
0
votes
0
answers
31
views
Why if i change the value of the CSFR cookie my requests are still valid?
I'm trying to understand how CSRF protection works in spring security 6.x.
I have an angular SPA that logs in the spring boot 3.0 backend with formLogin.
I have this configuration in the ...
- 668
0
votes
0
answers
37
views
Encountering a 302 redirect issue when submitting a form in React/Django app as API call gets redirected
In my Django/React app I want a user to be signed in to be able to successfuly submit a request to an API.
I successfully login with google and I believe I am passing all of the correct data to the ...
- 37
0
votes
0
answers
120
views
How Does Spring Boot Validate CSRF Tokens Stored in Cookies?
Csrf is really confusing, im using an example on github to learn about it.
Link spring-security-angular-csrf-login
Thanks marcusdacoregio.
Now,i see that a csrf token is stored in a cookie and sent to ...
- 23
0
votes
0
answers
78
views
Store a crsf token on a cookie
Well, im learning about csrf protection for my angular - spring boot app.
Now, i've been reading about this on angular documentation and it says
HttpClient supports a common mechanism used to prevent ...
- 23
1
vote
1
answer
32
views
Getting CSRF Valid Failed 403 on my MERN Stack Project, Specifically on iOS Devices
I have a MERN Stack project (initially deployed as two different projects on Vercel, but now Vercel is deployed on Frontend and backend is deployed on Heroku).
The whole application works perfectly ...
0
votes
1
answer
286
views
JavaScript execution in PDFs inside browsers: What is the best practice to handle this securely?
We are currently working on a file-server like implementation which serves user-uploaded content. To circumvent CSRF attacks, we serve all content with a CSP header, which disallows any execution of ...
- 49
0
votes
1
answer
44
views
SpringBoot + React: SpringBoot not checking CSRF token
Environment
Frontend (FE) is React 18, backend (BE) is SpringBoot 3
Issue:
SpringBoot ignores XSRF-TOKEN header/cookie and returns HTTP 403.
From React, I am able to ask via HTTP-GET and obtain csrf-...
- 100