Cross-Site Request Forgery (CSRF) (跨站请求伪造)

CSRF (Cross-Site Request Forgery), also known as one-click attack, XSRF or session riding, is an attack that impersonates a trusted user and sends a website unwanted or unauthorized commands.

Protection Solution

1. Cookie Hashing

Set-Cookie: csrftoken=xxxxxx; Secure; HttpOnly; SameSite=Strict

2. One-Time CSRF Tokens

<meta name="csrf-token" content="">

or

<form method="POST" action="transfer.php">
  <input type="hidden" name="csrf-token" value="">
  <input type="text" name="toBankId">
  <input type="text" name="money">
  <input type="submit" name="submit" value="Submit">
</form>

3. NGINX valid_referer

See NGINX: Valid Referer - Linux Cookbook.

4. XSS Prevention

Cross Site Scripting, XSS (跨站脚本攻击)

See NGINX: Cross Site Scripting, XSS (跨站脚本攻击) - Linux Cookbook.

References

• CSRF - MDN
• Cross-site request forgery - Wikipedia