Protecting against cross-site request forgery (CSRF) attacks

Get advice on helping your customers prevent CSRF attacks with authentication, tokens and Web application firewalls (WAFs).

I've been hearing more about cross-site request forgery (CSRF) attacks -- for example, Netflix recently had to fix a flaw related to this. I'm wondering how I can protect my customers from this type of attack. Do Web application firewalls work?

A reverse of cross-site scripting (XSS), cross-site request forgery (CSRF or XSRF), is a malicious Web site attack that exploits the trust a Web site has in a user by forging a request from a trusted user. These attacks are very dangerous because they are more difficult to defend against than XSS attacks, and less frequent, which results in less attention being paid to them.

There is not a lot you can do to protect against CSRF at the present time. Switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) may help prevent these attacks.

Another approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. And users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session.

Web application firewalls (WAFs) may be a solution, as CSRF is fundamentally a problem with the Web application. The newly released Web Application Firewall Evaluation Criteria (WAFEC) version 1.0 from the Web Application Security Consortium (WASC) seeks to address these OSI Layer 7 threats.

Dig Deeper on Best practices for cybersecurity management