You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We need to ensure that requests from identified users are made via an application provided by the original site (and not through a link [even if valid] received from another source), which for some controllers could lead to CSRF attacks.
So, we limit ourselves to two things:
Check the presence of the CSRF token when it's a required condition.
When it's present, verify that the token is valid (generated by the backend).
Note: CSRF mechanism cannot be implemented on public routes. If deemed necessary, it indicates a flaw in the application logic (public routes should never trigger the execution of sensitive actions).
Implement a two-part structure:
format : {payload}.{signature} payload corresponds to a JSON object, base64 encoded, with the structure {body: bin2hex(random_bytes(10)), time: time()} signature corresponds to the payload, hashed with the installation's secret key.
implement verification when required
To verify the token's validity, we extract the payload and generate a hash from it using the installation's secret key. The obtained value should match the received signature.
The text was updated successfully, but these errors were encountered:
We need to ensure that requests from identified users are made via an application provided by the original site (and not through a link [even if valid] received from another source), which for some controllers could lead to CSRF attacks.
So, we limit ourselves to two things:
Note: CSRF mechanism cannot be implemented on public routes. If deemed necessary, it indicates a flaw in the application logic (public routes should never trigger the execution of sensitive actions).
Implement a two-part structure:
format : {payload}.{signature}
payloadcorresponds to a JSON object, base64 encoded, with the structure {body: bin2hex(random_bytes(10)), time: time()}signaturecorresponds to the payload, hashed with the installation's secret key.implement verification when required
To verify the token's validity, we extract the payload and generate a hash from it using the installation's secret key. The obtained value should match the received signature.
The text was updated successfully, but these errors were encountered: