CSRF mitigation
referer spelling is intentional here since there was a spelling mistake in specifications and no one corrected it before it got published.
Adding custom headers - referer and origin
When you make a URL request to a site, your browser could send along some headers like Referer and Origin that includes the page you're currently on. The owner of the web app can check that request and compare these referer and origin headers. If the referer is owner.com then accept else reject it. -> Requests with XMLHTTPRequest or fetch can't modify these headers directly.
It uses properties of Same Origin Policy.
Bypass: If there is an XSS on the page, you can make the request now from the same origin and specify the malicious request.
Nonce - A CSRF token: More common and more effective.
Modern forms have a random value appended to them that the server also needs to receive to complete the request. <form method="post">{% csrf_token %} Owner whenever generates a request to send to client, it also generates a very long random string and sends to client. An attacker can't see this since it is not authenticated and only authenticated people (authenticated with the correct user which is to be attacked) can see. Bypass-> By using XSS
Last updated
