New ask Hacker News story: A Better Way of Defense with Csurf
A Better Way of Defense with Csurf
2 by vitalipom | 0 comments on Hacker News.
Csurf might be deprecated in the npm main repository, but it does not cancel the fact that this is still a great lib for CSRF Tokens in NodeJS. While striving to find and provide a straight route path for assured security on the websites, I have come up with a Context Design Pattern for CSRF Tokens, which is very simple but might be not what you think or not what you are used to. In the traditional approach, to defend against foreign links that target i.e. deleting your users’ profiles while clicking a link, we know that CSRF Tokens is the answer. But what happens when the links are on your website, e.g. in the HTML formatted posts or comments section? Well, I suggested the following to Chat GPT and the machine has fallen for it! Think of csurf lib’s cookie being sent with the string “posts-cookie-token” while in the posts or comments section along with a CSRF Tokens. The cookie is a session identifier and the CSRF must be provided along with the cookie. In order to not allow actions such as user deletion from the comments section, there is a different cookie-csrf-token pair(s) for the user profile section. Means that CSRF Token for user deletion will never resolve for the comments section. Are there any node developers in here at those hours? Security fans? What do you think gang? I’m up to writing a security manual for the novice web developers and selling it for some cash online. WDYT?
2 by vitalipom | 0 comments on Hacker News.
Csurf might be deprecated in the npm main repository, but it does not cancel the fact that this is still a great lib for CSRF Tokens in NodeJS. While striving to find and provide a straight route path for assured security on the websites, I have come up with a Context Design Pattern for CSRF Tokens, which is very simple but might be not what you think or not what you are used to. In the traditional approach, to defend against foreign links that target i.e. deleting your users’ profiles while clicking a link, we know that CSRF Tokens is the answer. But what happens when the links are on your website, e.g. in the HTML formatted posts or comments section? Well, I suggested the following to Chat GPT and the machine has fallen for it! Think of csurf lib’s cookie being sent with the string “posts-cookie-token” while in the posts or comments section along with a CSRF Tokens. The cookie is a session identifier and the CSRF must be provided along with the cookie. In order to not allow actions such as user deletion from the comments section, there is a different cookie-csrf-token pair(s) for the user profile section. Means that CSRF Token for user deletion will never resolve for the comments section. Are there any node developers in here at those hours? Security fans? What do you think gang? I’m up to writing a security manual for the novice web developers and selling it for some cash online. WDYT?
Comments
Post a Comment