Problem solve Get help with specific problems with your technologies, process and projects.

Protecting against cross-site request forgery (CSRF) attacks

Get advice on helping your customers prevent CSRF attacks with authentication, tokens and Web application firewalls (WAFs).

I've been hearing more about cross-site request forgery (CSRF) attacks -- for example, Netflix recently had to fix a flaw related to this. I'm wondering how I can protect my customers from this type of attack. Do Web application firewalls work?

A reverse of cross-site scripting (XSS), cross-site request forgery (CSRF or XSRF), is a malicious Web site attack that exploits the trust a Web site has in a user by forging a request from a trusted user. These attacks are very dangerous because they are more difficult to defend against than XSS attacks, and less frequent, which results in less attention being paid to them.

There is not a lot you can do to protect against CSRF at the present time. Switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) may help prevent these attacks.

Another approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. And users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session.

Web application firewalls (WAFs) may be a solution, as CSRF is fundamentally a problem with the Web application. The newly released Web Application Firewall Evaluation Criteria (WAFEC) version 1.0 from the Web Application Security Consortium (WASC) seeks to address these OSI Layer 7 threats.

This was last published in January 2007

Dig Deeper on Application security and data protection

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.