Contents
Is Cors enough for CSRF?
No. The Same Origin Policy (which CORS allows you to punch selective holes through) prevents third party sites from masquerading as a user in order to read (private) data from another site.
What is the Referer header used for?
The Referer header allows servers to identify where people are visiting them from, which can then be used for analytics, logging, optimized caching, and more. The Referer header may not contain URL fragments (i.e. “#section”) or “username:password” information.
How reliable is Referer header?
Using HTTP_REFERER isn’t reliable, its value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can’t be trusted because it can be manipulated.
Is it necessary to check the referer and origin headers?
So to protect against CSRF it is necessary to block any requests that are missing a referer (and origin) header. Edit: This paper has some numbers on what portion of clients omit a referer header. OWASP recommends checking a CSRF token in addition to checking the origin and referer.
Is the referer enough to protect against a CSRF?
Checking the referer is a commonly used method of preventing CSRF on embedded network devices because it does not require a per-user state. This makes a referer a useful method of CSRF prevention when memory is scarce.
Is it possible to spoof the referer header?
Although it is trivial to spoof the referer header on your own browser, it is impossible to do so in a CSRF attack. Checking the referer is a commonly used method of preventing CSRF on embedded network devices because it does not require a per-user state.
How to prevent CSRF attacks on your website?
To prevent “click-jacking”, set the header X-Frame-Options: DENY. This will tell your browser that it is not allowed to display any part of your website in an iframe. Setting Cookie properties SameSite=lax or SameSite=strict will prevent CSRF attacks.