Do I need to implement CSRF Token even though my backend and frontend apps are seperated?
For further actions, you may consider blocking this person and/or reporting abuse
Read next
The 6 Best Free Tools for Testing Webhook and Callback URLs
Sospeter Mong'are -
AI generates 4D textured scenes from text with video diffusion models
Mike Young -
Free-Lunch Explainable AI: Mesomorphic Networks Fuse Deep Learning and Linear Models for Tabular Data
Mike Young -
Five cool JavaScript tricks
Fourhtyoz -
Top comments (7)
Yes. CSRF has nothing to do with a common codebase. It protects actions against backend of being involuntarily triggered.
Like, for example, an embedded "image" here in a comment, which triggers a logout for everyone seeing it. (Not actually possible, since logout is CSRF protected in this case)
but I don't think logout is harmful, can u gimme another example pls?
Hm, that was a bad example.
Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.
Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.
See owasp.org/www-community/attacks/csrf for more information
I see, that's make sense. That's why CSRF Token will be regenerated for every request. Thanks, gonna read that soon
but, what if I alr handle that using token based auth? do I still need that?
login submit involuntarily
it can't be triggered if there's no valid creds and the resources is protected with token based auth