All Questions
328 questions
-1
votes
1
answer
20
views
What is the point of using jwt(http-only cookie) and csrf token(not http-only cookie)?
As far as I understood, I need protection against csrf attacks when I use jwt by storing them in http-only cookies.
So that when a user visits a malicious site and a request to my server is made from ...
- 31
1
vote
0
answers
16
views
CSRF Token won't be set unless the server sends a response. But CSRF token needed to make a request inside nuxtServerInit? How to handle this case?
Backend
Take this express backend server
const app = express();
app.use(rTracer.expressMiddleware());
app.use(requestLogger);
app.use(
cors({
credentials: true,
origin: getAllowedOrigins,
...
- 6,208
0
votes
1
answer
34
views
Unable handle the Csrf-Token for GET request in Django
In Django framework, When it was a POST request, if you modify the Cookie CSRF token, its throws the 403 error. But when it was a GET request, I tried to modify the Cookie CSRF-token, and it returned ...
1
vote
1
answer
58
views
Why is Spring Security setting CSRF cookie with SameSite=None attribute?
I have a Springboot application with Spring Security 6 and a single page application for frontend (Vue). I configured anti-CSRF using the exact same config as the one described in the documentation. ...
- 1,968
-1
votes
1
answer
99
views
CSRF and JWT With Sping Security 6 Stateless REST
I have a question about how to incorporate JWT tokens with CSRF protection when integrating with the Angular framework and Spring security 6. While there numerous posts on whether to use both CSRF ...
- 471
0
votes
0
answers
26
views
Angular+Django how to access cookie under different domain
This is a follow up to my previous question (Angular+Django CSRF token not being saved as cookie) since I understand the underlying problem now.
I have a Angular and Django setup and I am trying to ...
- 3
0
votes
0
answers
37
views
Django - Browser doesnt save cookies unless CSRF_COOKIE_DOMAIN is set
I have been trying to get CORS/CSRF working on my local and I found this weird issue that unless I set CSRF_COOKIE_DOMAIN to localhost as per this answer and I have no idea why its working.
Reading up ...
- 635
0
votes
0
answers
65
views
CSRF Token With Laravel Sanctum
Following Laravel docs, when making a request to a laravel backend API that uses Sanctum, the SPA must first make a request to sanctum/csrf-token to get the CSRF token which you must then pass to all ...
0
votes
0
answers
30
views
Why does Postman see cookies returned by Laravel, but Flask does not, even when passing through Flask?
I'm working on a project where I'm integrating a Laravel API with a Flask application. Both Laravel and Flask are running inside Docker containers on the same network. My goal is to make a request ...
1
vote
0
answers
66
views
CSRF Prevention Using Signed Cookies And Custom Headers
Recently I was reading about CSRF prevention techniques like Synchronizer Token, Cookie-to-header, and Double Submit Cookie. Cookie-to-header is good for websites using a lot of JavaScript, e.g. SPAs, ...
- 45
0
votes
1
answer
42
views
SPA + Storing JWT + REST API not accepting cookie auth
Everyone is talking about don't store jwt in localstorage for security purpose online.
But in actual fact, none of the project I work with using SPA + Rest API integration is implemented using the &...
- 2,045
0
votes
0
answers
17
views
Cross origin cookies not visible in browser devtools, but still working
I have a MERN stack app, frontend on frontend.local and backend on backend.local. I have CORS set up. I'm using express-session.
When a user logs in, I set a session id, and it automatically sends a ...
- 247
0
votes
0
answers
74
views
why does samesite=strict attribute in cookies restrict anchor links?
I want to add cookies to my website for enhanced security, as I used to use a bad session storage method.
I noticed that there are three options for samesite attribute in cookies. the most secure one ...
- 11
0
votes
0
answers
17
views
Why aren't my cookies persistent on subdomains?
I have an MERN app with a front end deployed on onrender.com and backend deployed on onrender.com.
I am attempting to use cookies and jwt for authentication but am having a lot of trouble with cookies ...
0
votes
0
answers
42
views
Spring boot + Angular CSRF protection, Cookie not set
I have an application setup consisting on a backend API and an Angular client. I configured csrf protection in backend like this:
@Bean
public CsrfTokenRepository csrfTokenRepository() {
...
- 719
0
votes
1
answer
220
views
NextJs not setting the cookie from django csrf_token
My nextjs application integrated with django has an authentication system based on csrftoken and sessionid. Once the nextjs application runs, it makes a request to the backend for the csrf route, ...
0
votes
0
answers
41
views
CSRF token not being set in Django leading to 403 on client-side
When making a POST request with axios from an endpoint in django, the CSRF token cookie seems to not be set, because of this it gives me a 403 status code. which i couldn't fix even after days trying ...
0
votes
0
answers
82
views
Inconsistent Cookie Behavior with Axios withCredentials in Vue.js
I'm working on a Vue.js frontend and have encountered an odd behavior regarding cookie transmission using Axios. I've set up a custom Axios instance with default configurations and an interceptor to ...
- 177
0
votes
0
answers
266
views
React with Typescript can not recive XSRF-TOKEN from spring application
I have written a Spring Boot Application where I want to use CSRF protection.
For this I have set the Spring SecurityFilterChange with the following snipped:
.csrf(csrf ->
...
- 1
1
vote
0
answers
147
views
Spring boot 6 + Angular CSRF throws 401 error, invalid csrf token
Spring security
@Configuration
public class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf(c -> c....
- 31
0
votes
0
answers
19
views
Is CSRF attack possible for API authenticating with cookie but not using forms?
I understand the mechanism of the CSRF attack with the form post, but I do not get how it is possible to send a post request from a malicious site.
Imagine I have SPA at origin S, Web API at origin A, ...
- 13.9k
1
vote
2
answers
575
views
CSRF client side double submission token generation
I am looking into protecting a website from CSRF attacks. Although sensitive cookies already are tagged with same-site=lax, I would still like to implement CSRF tokens. More specifically the double ...
- 6,475
1
vote
0
answers
460
views
Making Angular add X-XSRF-TOKEN header despite having not root cookie
In our application (frontend is in angular, backend in java) there's the problem of not adding the X-XSRF-TOKEN header on a request, resulting in backend returning 403 (forbidden).
The xsrf mechanism ...
- 144
1
vote
1
answer
369
views
JWT (XSS) vs Cookies (CSRF)?
I'm a Python backend developer at a start-up. Recently, I was asked to build the authentication system for APIs, and I implemented a token-based authentication mechanism (JWT) using the FastAPI ...
- 11
1
vote
1
answer
659
views
Cross-Site Request Forgery Prevention: using a cookie for the Synchronizer Token Pattern
The OWASP description of the Synchronizer Token Pattern for CSRF Prevention (here) states:
For the Synchronised Token Pattern, CSRF tokens should not be transmitted using cookies.
My understanding ...
- 768
0
votes
0
answers
26
views
Bypass token-based CSRF protection by simply mimicing the user workflow [duplicate]
Imagine there is a bank.com website and it uses a double-submit CSRF protection method:
Normal user story:
After logging in through the bank.com/login endpoint (where a session cookie and a CSRF ...
- 68
0
votes
0
answers
39
views
CSRF TEST and mismatched value trouble
<!doctype html>
<meta charset="utf-8">
<title> T CSRF_TEST.php </title>
<style> html * { font-size:1.75rem; font-family:monospace; } </style>
<?...
- 11
0
votes
0
answers
260
views
How is a csrf token obtained by the client that was never sent in any response?
The csrf token on the social media platform twitter.com / x.com is stored in a header called x-csrf-token and in a cookie called ct0.
However, it seems that this token is never sent to the client on ...
- 165
0
votes
0
answers
31
views
Cookies not passing into post request headers
I'm currently using Vue/Axios on the frontend, and I'm trying to hook up some api endpoints that require a session cookie to be passed into the request headers. The backend is built using Python/Flask....
0
votes
1
answer
694
views
Laravel on sub domain ignore parent cookies when
I have a laravel app on a parent domain. SESSION_DOMAIN is set to .domain.com because I want the cookies to be shared with another subdomain first.domain.com.
I now want to publish another app at ...
- 2,493
0
votes
1
answer
965
views
Django : Forbidden CSRF cookie not set.)
I''m using Django with pyJWT to generate JWT for a simple login. Although it previously worked well now I'm getting Forbidden (CSRF cookie not set.) error
there is no CSRF_COOKIE_SECURE in the setting....
0
votes
2
answers
465
views
I am unable to get response data or response body
I ran my jmeter script, but i am getting this message in my response data.
for(;;);[{"changes":{},"resources":{},"locales":{},"meta":{"appError":{&...
- 3
0
votes
2
answers
1k
views
How to use React and Django for user token authentication and storage
What I want to accomplish is a secure and user experience friendly approach to authenticating and storing user's token.
As seen here the recommended answer suggests to use a set of two cookies which ...
- 85
3
votes
1
answer
835
views
Axios request not sending expected cookie header to Django server
I'm trying to upload a file to a Django server using an Axios post request in a React app. The server expects a CSRF cookie to be included in the request headers.
The request already includes all the ...
- 220
-1
votes
1
answer
3k
views
CSRF Cookie is not being set when using axios GET - Laravel 9 Sanctum
I am currently trying to create a simple authentication feature using Laravel (v9.52.4) and Sanctum. From the frontend I am currently using Axios to get and post data. Both frontend and backend API ...
- 31
0
votes
0
answers
1k
views
How to disable CSRF_COOKIE_SECURE in django
CSRF_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SECURE = False
My frontend and backend run on different domains in development, I'm trying to enable setting csrf-token cookie using HTTP, but I guess False ...
- 237
0
votes
1
answer
420
views
Cookie flow in a site that hosts embedded Youtube video
When there's a Youtube video embedded on a site that I visit while I am logged in Youtube beforehand, how does the embedded video know that it's me so I can add it to my Watch Later list?
I think the ...
- 1,056
0
votes
0
answers
585
views
Go how to use cookiejar for multiple requests?
I'm trying to make a cli for a site that has csrf, needing the csrf token to be sent on headers and on a form.
I can't seem to understand net/http.Client or net/http/cookieJar
This its even good ...
- 19
0
votes
1
answer
752
views
Getting "The CSRF tokens do not match" when using nginx
When app is running without nginx then Flask forms work fine. But when I use NGINX then i get "{'csrf_token': ['The CSRF tokens do not match.']}" error every time I try to submit the form.
...
- 1
-2
votes
2
answers
292
views
Cookies doesnot sets up
I use Axios to get cookies from http://localhost/sanctum/csrf-cookie
My app doing requests from localhost:3000 which is configured by Nuxt.
My backend configured by Laravel sanctum at localhost:80
...
1
vote
1
answer
318
views
Ways to prevent CSRF and have good cookie etiquette on a no-JavaScript login page?
Context: I'm building a website that has a password-locked admin portal. Additionally, JS is only used for progressive enhancement of the 100% already-working site.
Security issue: The login form is ...
2
votes
1
answer
895
views
Why is cookie without SameSite attribute sent on cross-domain form post?
I have a page on https://dskl.net/xsrf/setcookies.php which sets a cookie with the following header:
set-cookie: secure-cookie=secure; expires=Mon, 24-Jul-2023 11:27:06 GMT; Max-Age=31536000; path=/; ...
- 111
0
votes
1
answer
862
views
Cookies and Local Storage is empty on localhost:4200 in Angular 10
Why is my application not saving anything into Cookies and Local Storage when run on localhost?
It is Angular10/Express app.
If I deploy the application on the server and I visit the website then when ...
- 1,569
0
votes
0
answers
320
views
Is the double submit cookie pattern really safe?
I've searched a lot about csrf protection. Some of it mentioned double submit cookie pattern, and say that it has vulnerability about subdomain xss and http mitm attack.
But i can't figure out one ...
- 21
-1
votes
1
answer
1k
views
How can I call a GET endpoint from Postman with JSESSIONID and CSRF protection enabled?
My cookies in the request header look like this:
website cookies
When I log out or the session expires, I can't make a GET request in Postman, because the values of those two are different each time.
...
- 1
0
votes
1
answer
1k
views
How is Laravel 8 CSRF token actually safe?
The most voted answer in this question (https://security.stackexchange.com/questions/19128/csrf-cookie-vs-session-based-tokens) states
If you put your token in a cookie, it will be send to the server ...
- 663
1
vote
1
answer
2k
views
Laravel Sanctum & NuxtJS SPA not creating csrf cookie in the browser
I have a backend API in Laravel with Sanctum, and separate repository SPA in NuxtJS
I am trying to authenticate my SPA with Sanctum. I am trying to get the CSRF cookie in the browser as per Sanctum ...
- 1,266
1
vote
3
answers
5k
views
What is the point of X-CSRF-TOKEN or X-XSRF-TOKEN, why not just use a strict same site cookie?
Frameworks such as laravel and others require you place the csrf token in your HTML forms.
However at the same time laravel comes by default with the VerifyCsrfToken middleware that automatically ...
- 1,385
2
votes
1
answer
5k
views
What is the purpose of nonce and hmac in a session cookie?
I am looking at some code, and they are storing a "nonce" and a "hmac" in a users session cookie. What is the purpose of a nonce? What is the purpose of the hmac?
- 31
0
votes
1
answer
325
views
CSRF, CORS and my approach to authentication
I've seen many questions about CSRF attacks and GET requests, and I'm trying to work out what I need for my app's authentication system.
My stack is an SPA React app hosted at app.site.com, and an API ...
- 3,801