Anti Cross-Site Request Forgery (CSRF) Protection #115

jeevatkm · 2017-09-09T19:02:54Z

Goal is not just bring Anti Cross-Site Request Forgery (CSRF) protection support; instead smart Anti CSRF protection feature in aah.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Things I'm aiming for:

Just enable it, aah will do the smart work
Support multiple HTML form
Check Anti-CSRF token for every non-safe methods defined in https://tools.ietf.org/html/rfc7231#section-4.2.1. Safe methods GET, HEAD, OPTIONS, TRACE
Take care of profile prod and dev appropriately
Check Anti-CSRF token in the order of HTTP Header, Form (application/x-www-form-urlencoded, multipart/form-data)

Implementation
App templete update (config, etc...)
Documentation

The text was updated successfully, but these errors were encountered:

…#115

jeevatkm created this issue from a note in aah Roadmap (Backlog) Sep 9, 2017

jeevatkm moved this from Backlog to v0.9 - Iteration in aah Roadmap Sep 9, 2017

jeevatkm added feature lib-security Security (Authc, Authz, Password Crypto, etc) labels Sep 9, 2017

jeevatkm added this to the v0.9 Milestone milestone Sep 9, 2017

jeevatkm changed the title ~~Cross-Site Request Forgery (CSRF)~~ Anti Cross-Site Request Forgery (CSRF) Protection Sep 11, 2017

jeevatkm self-assigned this Sep 11, 2017

jeevatkm moved this from v0.9 - Iteration to v0.9 - In Progress in aah Roadmap Sep 11, 2017

jeevatkm added a commit to go-aah/essentials that referenced this issue Sep 16, 2017

base64 encode methods moved to essentials go-aah/aah#115

7431391

jeevatkm added a commit to go-aah/security that referenced this issue Sep 17, 2017

anti-csrf protection implementation and improvements go-aah/aah#115

c849d09

jeevatkm added a commit to go-aah/security that referenced this issue Sep 18, 2017

anticsrf clear cookie and improvements go-aah/aah#115

bffa791

jeevatkm added a commit to go-aah/security that referenced this issue Sep 18, 2017

anticsrf clear cookie and improvements go-aah/aah#115

ad27fca

jeevatkm added a commit that referenced this issue Sep 19, 2017

#115 integrating anti csrf protection feature

8256253

jeevatkm added a commit to go-aah/tools that referenced this issue Sep 19, 2017

anti csrf config update and sign, enc key added to new cmd go-aah/aah…

304c8ee

…#115

jeevatkm added a commit to go-aah/view that referenced this issue Sep 20, 2017

adding Anti-CSRF field automatically to all HTML forms go-aah/aah#115

9d2c23d

jeevatkm mentioned this issue Sep 21, 2017

Anti CSRF Protection #121

Merged

jeevatkm added a commit that referenced this issue Sep 21, 2017

Anti CSRF Protection #115 (#121)

e871079

jeevatkm closed this as completed Sep 21, 2017

jeevatkm moved this from v0.9 - In Progress to v0.9 - Completed in aah Roadmap Sep 21, 2017

jeevatkm added a commit to go-aah/docs that referenced this issue Sep 21, 2017

anti-csrf docs update go-aah/aah#115

db2a516

jeevatkm added a commit that referenced this issue Oct 4, 2017

anti-csrf conditional added for individual route exclude #115

4d17eed

jeevatkm moved this from v0.9 - Completed to Released to Audience in aah Roadmap Oct 4, 2017

jeevatkm added a commit to go-aah/app-templates that referenced this issue Jul 4, 2018

anti csrf config update and sign, enc key added to new cmd go-aah/aah…

e4bb296

…#115

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Anti Cross-Site Request Forgery (CSRF) Protection #115

Anti Cross-Site Request Forgery (CSRF) Protection #115

jeevatkm commented Sep 9, 2017 •

edited

Anti Cross-Site Request Forgery (CSRF) Protection #115

Anti Cross-Site Request Forgery (CSRF) Protection #115

Comments

jeevatkm commented Sep 9, 2017 • edited

jeevatkm commented Sep 9, 2017 •

edited