Do I need to implement CSRF Token even though my backend and frontend apps are seperated?
For further actions, you may consider blocking this person and/or reporting abuse
Do I need to implement CSRF Token even though my backend and frontend apps are seperated?
For further actions, you may consider blocking this person and/or reporting abuse
Ben Halpern -
Suiko -
Pratik Singh -
Ben Halpern -
Once suspended, clavinjune will not be able to comment or publish posts until their suspension is removed.
Once unsuspended, clavinjune will be able to comment and publish posts again.
Once unpublished, all posts by clavinjune will become hidden and only accessible to themselves.
If clavinjune is not suspended, they can still re-publish their posts from their dashboard.
Once unpublished, this post will become invisible to the public and only accessible to Clavin June.
They can still re-publish the post if they are not suspended.
Thanks for keeping DEV Community safe. Here is what you can do to flag clavinjune:
Unflagging clavinjune will restore default visibility to their posts.
Top comments (7)
Yes. CSRF has nothing to do with a common codebase. It protects actions against backend of being involuntarily triggered.
Like, for example, an embedded "image" here in a comment, which triggers a logout for everyone seeing it. (Not actually possible, since logout is CSRF protected in this case)
but I don't think logout is harmful, can u gimme another example pls?
Hm, that was a bad example.
Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.
Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.
See owasp.org/www-community/attacks/csrf for more information
I see, that's make sense. That's why CSRF Token will be regenerated for every request. Thanks, gonna read that soon
but, what if I alr handle that using token based auth? do I still need that?
login submit involuntarily
it can't be triggered if there's no valid creds and the resources is protected with token based auth