How to do csrf protection for http.Get requests?

Question

How to do csrf protection for http.Get requests?

qibobo opened this issue 6 years ago · comments

Currently the csrf protection will skip http Get requests in the code "if !contains(safeMethods, r.Method)".
In my application I want to some http Get requests to be protected, how to do it?

Matt Silverlock · Answer 1 · Thu Jul 19 2018 10:49:34 GMT+0800 (China Standard Time)

Can you explain more about your application? What drives the need to protect GET requests?

…

On Wed, Jul 18, 2018 at 7:29 PM qibobo ***@***.***> wrote: Currently the csrf protection will skip http Get requests in the code "if !contains(safeMethods, r.Method)". In my application I want to some http Get requests to be protected, how to do it? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#95>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcDk_DndNoK11MBkQbKXxCVAvFftvks5uH-8KgaJpZM4VVpzF> .

qibobo · Answer 2 · Thu Jul 19 2018 11:08:32 GMT+0800 (China Standard Time)

@elithrar
There are some routes in the application:
/index http.Get
/getSomething http.Get
/putSomething http.Put

The "/index" route will return a web page that contains the csrf-token and users can request the "/getSomething" by csrf attack as no csrf protection for it, right? I want to protect the "/getSomething".

I just want to skip some certain paths and protect all the other requests no matter they are http.get or not.

Matt Silverlock · Answer 3 · Thu Jul 19 2018 11:47:14 GMT+0800 (China Standard Time)

That’s not how the protection works. CSRF requires the attacker to make a mutating change. Tokens are always issued regardless of method, but a GET should not make a change on behalf of the user. This is why non-idempotent methods (POST, PUT, etc) use the protection.

…

On Wed, Jul 18, 2018 at 8:08 PM qibobo ***@***.***> wrote: @elithrar <https://github.com/elithrar> There are some routes in the application: /index http.Get /getSomething http.Get /putSomething http.Put The "/index" route will return a web page that contains the csrf-token and users can request the "/getSomething" by csrf attack as no csrf protection for it, right? I want to protect the "/getSomething". — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#95 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcCKYBRUFaB8SUPQe4758cQNCHb02ks5uH_gygaJpZM4VVpzF> .

qibobo · Answer 4 · Thu Jul 19 2018 15:19:42 GMT+0800 (China Standard Time)

@elithrar Got it. Thank you!