We are independent & ad-supported. We may earn a commission for purchases made through our links.
Advertiser Disclosure
Our website is an independent, advertising-supported platform. We provide our content free of charge to our readers, and to keep it that way, we rely on revenue generated through advertisements and affiliate partnerships. This means that when you click on certain links on our site and make a purchase, we may earn a commission. Learn more.
How We Make Money
We sustain our operations through affiliate commissions and advertising. If you click on an affiliate link and make a purchase, we may receive a commission from the merchant at no additional cost to you. We also display advertisements on our website, which help generate revenue to support our work and keep our content free for readers. Our editorial team operates independently of our advertising and affiliate partnerships to ensure that our content remains unbiased and focused on providing you with the best information and recommendations based on thorough research and honest evaluations. To remain transparent, we’ve provided a list of our current affiliate partners here.
Technology

Our Promise to you

Founded in 2002, our company has been a trusted resource for readers seeking informative and engaging content. Our dedication to quality remains unwavering—and will never change. We follow a strict editorial policy, ensuring that our content is authored by highly qualified professionals and edited by subject matter experts. This guarantees that everything we publish is objective, accurate, and trustworthy.

Over the years, we've refined our approach to cover a wide range of topics, providing readers with reliable and practical advice to enhance their knowledge and skills. That's why millions of readers turn to us each year. Join us in celebrating the joy of learning, guided by standards you can trust.

How do I Prevent Cross-Site Forgery?

By Robert Grimmick
Updated: Feb 27, 2024
Views: 5,244
Share

A cross-site forgery (XSRF or CSRF), also known by a variety of names including cross-site request forgery, session riding, and one-click attack, is a difficult type of website exploit to prevent. It operates by tricking a web browser into sending unauthorized commands to a remote server. Cross-site forgery attacks only work against users who have logged into websites with authentic credentials; as a result, logging out of websites can be a simple and effective preventative measure. Web developers can use randomly generated tokens to help prevent this type of attack, but should avoid checking the referrer or relying on cookies.

It is common for cross-site forgery exploits to target web browsers in what is known as a “confused deputy attack.” Believing to be acting on the user’s behalf, the browser is tricked into sending unauthorized commands to a remote server. These commands can be hidden inside seemingly innocent portions of a webpage’s markup code, which means that a browser trying to download an image file might actually be sending commands to a bank, online retailer, or social networking site. Some browsers now include measures designed to prevent cross-site forgery attacks, and third-party programmers have created extensions or plugins that lack these measures. It may also be a good idea to turn off HyperText Markup Language (HTML) e-mail in your preferred client because these programs are also vulnerable to cross-site forgery attacks.

Since cross-site forgery attacks rely upon users who have legitimately logged into a website. With that in mind one of the easiest ways to prevent such an attack is to simply log out of sites that you are finished using. Many sites that deal with sensitive data, including banks and brokerage firms, do this automatically after a certain period of inactivity. Other sites take the opposite approach and allow users to be persistently logged in for days or weeks. Although you might find this convenient, it does expose you to CSRF attacks. Look for a “remember me on this computer” or “keep me logged in” option and disable it, and make sure to click the log out link when you’ve completed a session.

For web developers, eliminating cross-site forgery vulnerabilities can be a particularly challenging task. Checking referrer and cookie information does not provide much protection because CSRF exploits take advantage of legitimate user credentials and this information is easy to spoof. A better approach would be to randomly generate a single-use token each time a user logs in, and require that the token be included with any request sent by the user. For important requests like purchases or fund transfers, requiring a user to reenter username and password can help ensure the authenticity of the request.

Share
WiseGeek is dedicated to providing accurate and trustworthy information. We carefully select reputable sources and employ a rigorous fact-checking process to maintain the highest standards. To learn more about our commitment to accuracy, read our editorial process.

Editors' Picks

Discussion Comments
Share
https://www.wise-geek.com/how-do-i-prevent-cross-site-forgery.htm
Copy this link
WiseGeek, in your inbox

Our latest articles, guides, and more, delivered daily.

WiseGeek, in your inbox

Our latest articles, guides, and more, delivered daily.