csrf

From http://sporcic.org/2012/10/csrf-with-nodejs-and-express-3 : app.use(express.csrf()); app.use(function(req, res, next){ res.locals.token = req.session._csrf; next(); }); app.use(app.router); To make use of above protection, does it mean I should put hidden _csrf hidden input in ALL of my forms including admin-only pages? One option is to add a hidden input field to all your forms as you mention. But according to the Express docs on csrf: The default value function checks req.body generated by the bodyParser() middleware, req.query generated by query() , and the "X-CSRF-Token" header field.

I am looking for a way to add a CSRF token to an application I'm making. The caveat is, the application does not currently use cookies or sessions. I would love to find a way to introduce a CSRF token without having to: Introduce state in my application. Use session or cookie ( $_SESSION / $_COOKIE ) storage Is this at all a possibility, or am I stuck creating new state in my application. You can, but it's not going to be very secure. Here's an example BUT DO NOT USE THIS, IT IS PROBABLY A BAD IDEA : // Do this somewhere define('CSRF_SALT', '4dedMj4CWgBMNhRsoTpJlokwB5wTz7UsmF8Mq4uzFIbv');

I have a REST service, built using Java, Spring-boot and using Spring Security with Basic Access Authentication. There are no Views, no JSP etc, no 'login', just stateless services which can be called from a React app hosted separately. I've read a variety of documentation about CSRF protection, but can't decide whether I should be using spring-security CSRF config, or just disabling it? If I disable the csrf protection I can call the service with curl using my basic auth like this: curl -H "authorization:Basic c35sdfsdfjpzYzB0dDFzaHA=" -H "content-type:application/json" -d '{"username":"user"

I want login from a PHP script to another website but I always get this reply: 403 Error: CSRF token mismatch I extract the CSRF token from a hidden field on website but it seems it is wrong. This is my code: $username = "testuser"; $password = "testpass"; $path = "c:\\test\\"; $url="http://itw.me/login"; $field='_csrf'; $html=file_get_contents( $url ); libxml_use_internal_errors( true ); $dom=new DOMDocument; $dom->validateOnParse=false; $dom->recover=true; $dom->formatOutput=false; $dom->loadHTML( $html ); libxml_clear_errors(); $xpath=new DOMXPath( $dom ); $col=$xpath->query('//input[@name=

CSRF protection for a JSF based web app and Tomcat6 backend without using any external packages. Kindly help. BalusC JSF has already builtin protection against CSRF by the javax.faces.ViewState hidden field which is to be linked with the state of the component tree in the server side. If this hidden field is missing or contains a wrong value, then JSF simply won't process the POST request. On JSF 1.x the key is only a bit too easy to guess, see also JSF impl issue 812 and JSF spec issue 869 . This is fixed in JSF 2.1. Your major concern should be XSS . A succesful XSS attack can form a source