New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why use referrer header for CSRF protection when you have sychronizer tokens? #364
Comments
I'll add a reference to CSRF and the synchronizer token pattern from OWASP and second the question. |
Because that's how the code was written years ago. Given how vague this issue is worded, I would have to re-research our current implementation and compare it to the suggested alternative to even understand if it would be necessary or feasible to change. If someone wants to put in such work and suggest a way forward, fine, otherwise I'll probably close this. |
If
I realize that opting out is as easy as setting I lean towards doing the |
Doing some research on OWASP, further down the same page linked earlier, OWASP does recommend checking the Referer header but only if the Origin header is not present. The current code does not make any such distinction and an addition to match the OWASP recommendation would be a worthy improvement. In addition, what Target origin to compare either of those to is considered by OWASP to be non-trivial because "the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives". In fact, their third recommendation to use the
unless If there is a more appropriate source than OWASP to quote from, then I am not aware of it, but am open to suggestions. |
Mozilla links to the above HTTP header values: |
You need to configure your app with ProxyFix then. The app should know how it's proxied. That seems to address your findings. They seem orthogonal to the original question though. |
For now we run nginx with this but will be moving to GCP and not reverse proxying with nginx any longer. We'll see how we resolve that, but that still does not touch on the Origin header vs Referer header topic. |
As far as the orthogonality to the original question, variability is a concern in security software. The less variability the better. And assumptions can be killer. If only the first item below from OWASP guidance concerning CSRF is followed and nothing more, then the user can easily be in for an unpleasant surprise regarding what protections are or are not being magically provided by their framework. It'll take some digging for them to find all the pieces that must be put together. In any case, focusing in on the original question alone and ignore any dangers from variance, OWASP guidance is to:
where (4) includes:
hence, the answer to this ticket is that both "synchronizer token pattern" and "verifying the origin" are necessary to meet OWASP security standards if the SameSite Cookie Attribute is not very strict (sorry, couldn't help the pun). Though, to be honest, I have read of security experts poo-pooing the security of Same Origin so likely the more mitigations the better. So, if there are no other topics other than Origin header vs Referer header which I am still curious about, then this ticket should be closed based upon that research. |
Here is a link to proxy setups and ProxyFix for the curious reader who trundles here at a later date. |
I'm new to the security game. I'd understood that a sychronizer token and a referrer header were doing basically the same thing, and that a sychronizer token is more robust. What does a referrer header add that a sychronizer token doesn't address?
The text was updated successfully, but these errors were encountered: