Yes. CSRF has nothing to do with a common codebase. It protects actions against backend of being involuntarily triggered.
Like, for example, an embedded "image" here in a comment, which triggers a logout for everyone seeing it. (Not actually possible, since logout is CSRF protected in this case)
Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.
Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.
Yes. CSRF has nothing to do with a common codebase. It protects actions against backend of being involuntarily triggered.
Like, for example, an embedded "image" here in a comment, which triggers a logout for everyone seeing it. (Not actually possible, since logout is CSRF protected in this case)
but I don't think logout is harmful, can u gimme another example pls?
Hm, that was a bad example.
Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.
Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.
See owasp.org/www-community/attacks/csrf for more information
I see, that's make sense. That's why CSRF Token will be regenerated for every request. Thanks, gonna read that soon
but, what if I alr handle that using token based auth? do I still need that?
login submit involuntarily
it can't be triggered if there's no valid creds and the resources is protected with token based auth