Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: CSRF Cheat Sheet #1535

Open
cronchie opened this issue Nov 7, 2024 · 1 comment
Open

Update: CSRF Cheat Sheet #1535

cronchie opened this issue Nov 7, 2024 · 1 comment
Assignees
@cronchie
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it.

Comments

@cronchie
Copy link

cronchie commented Nov 7, 2024
edited
Loading

What is missing or needs to be updated?

This sentence is correct but misleading:

IMPORTANT: Remember that Cross-Site Scripting (XSS) can defeat all CSRF mitigation techniques!

It can imply a corollary that CSRF mitigations are unnecessary in the presence of XSS protections, which isn't what we want.

How should this be resolved?

Proposing instead:

While Cross-Site Scripting (XSS) vulnerabilities can bypass CSRF protections, CSRF tokens are still essential for web applications that rely on cookies for authentication. Consider the client and authentication method to determine the best approach for CSRF protection in your application.
@cronchie cronchie added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Nov 7, 2024
@jmanico
Copy link
Member

jmanico commented Nov 7, 2024

Let's go PR, I like this a lot

@jmanico jmanico removed UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. HELP_WANTED Issue for which help is wanted to do the job. labels Nov 7, 2024
@mackowski mackowski added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cronchie cronchie

Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @cronchie @mackowski