Do I need to implement CSRF Token even though my backend and frontend apps are seperated?
For further actions, you may consider blocking this person and/or reporting abuse
Do I need to implement CSRF Token even though my backend and frontend apps are seperated?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (7)
Yes. CSRF has nothing to do with a common codebase. It protects actions against backend of being involuntarily triggered.
Like, for example, an embedded "image" here in a comment, which triggers a logout for everyone seeing it. (Not actually possible, since logout is CSRF protected in this case)
but I don't think logout is harmful, can u gimme another example pls?
Hm, that was a bad example.
Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.
Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.
See owasp.org/www-community/attacks/csrf for more information
I see, that's make sense. That's why CSRF Token will be regenerated for every request. Thanks, gonna read that soon
but, what if I alr handle that using token based auth? do I still need that?
login submit involuntarily
it can't be triggered if there's no valid creds and the resources is protected with token based auth