Tips on CSRF security #2538

jamesli2021 · 2023-10-30T10:07:21Z

jamesli2021
Oct 30, 2023

I have been researched on Origin Header which I'm unsure whether I'm implementing it correctly to harden site security.

As the basic
Go with GET method to /gettoken endpoint:

func getTokenHandler(c echo.Context) error {
	csrf, ok := c.Get("csrf").(string)
	if !ok {
		return ""
	}
	return c.JSON(http.StatusOK, map[string]string{"csrfToken": csrf})
}

On the fontend, the endpoint get CSRF token and add it to hidden input field within the login

.

<script>
const r: any = await fetch('/gettoken',{
  method: 'GET',
  headers: {
    'Accept': 'application/json',
  },
});
if (r.status !== 200) {
  throw new Error('Failed to fetch CSRF token');
}
const m = await r.json();
const x = document.getElementById('cic') as HTMLInputElement;
x && (x.value = m.csrfToken);
</script>

If Origin Header without CSRF is sufficient?
Is CSRF in Echo is synchronous token?
Is Cookies Signing on csrf with unique/secret value only for non-logged user can make hacking more difficult?

Answered by jamesli2021

Oct 31, 2023

I have no idea on the multiple cookies, how do I store values related to data if e.g. has a title, description, other complex inputs?

Or another idea, I could reissue new CSRF token to extend 24 hours whenever user create or retrieve post?

View full answer

aldas · 2023-10-30T10:37:11Z

aldas
Oct 30, 2023
Maintainer

About Origin, maybe this helps https://stackoverflow.com/questions/24680302/csrf-protection-with-cors-origin-header-vs-csrf-token
NB: also check the "Linked" question block on the right side

0 replies

jamesli2021 · 2023-10-30T12:24:20Z

jamesli2021
Oct 30, 2023
Author

From my understanding if both CSRF token in HTML and cookie header has the same value, that seems attackers could easily gained hold of the new generated token through GET endpint, do you think double CSRF submit could be implement for Echo?

7 replies

aldas Oct 30, 2023
Maintainer

You can set expire time

echo/middleware/csrf.go

Line 50 in 69a0de8

CookieMaxAge int `yaml:"cookie_max_age"`

when cookie expires the browser will not (typically) send that cookie anymore thus triggering recreation of that cookie in CSRF middleware

jamesli2021 Oct 31, 2023
Author

But we can't get expiry time to avoid losing users' unsaved draft.

aldas Oct 31, 2023
Maintainer

You can set multiple cookies. One to store values related to data and one related to csrf token

jamesli2021 Oct 31, 2023
Author

I have no idea on the multiple cookies, how do I store values related to data if e.g. has a title, description, other complex inputs?

Or another idea, I could reissue new CSRF token to extend 24 hours whenever user create or retrieve post?

Answer selected by jamesli2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Tips on CSRF security #2538

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 7 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Tips on CSRF security #2538

Uh oh!

jamesli2021 Oct 30, 2023

Replies: 2 comments · 7 replies

Uh oh!

aldas Oct 30, 2023 Maintainer

Uh oh!

jamesli2021 Oct 30, 2023 Author

Uh oh!

aldas Oct 30, 2023 Maintainer

Uh oh!

jamesli2021 Oct 31, 2023 Author

Uh oh!

aldas Oct 31, 2023 Maintainer

Uh oh!

Uh oh!

jamesli2021 Oct 31, 2023 Author

jamesli2021
Oct 30, 2023

Replies: 2 comments 7 replies

aldas
Oct 30, 2023
Maintainer

jamesli2021
Oct 30, 2023
Author

aldas Oct 30, 2023
Maintainer

jamesli2021 Oct 31, 2023
Author

aldas Oct 31, 2023
Maintainer

jamesli2021 Oct 31, 2023
Author