JWT_AUTH_COOKIE makes APIs CSRF vulnerable.

[mohsen-mahmoodi]

Using the JWT_AUTH_COOKIE is vulnerable to CSRF attacks and this is not mentioned in the documentation nor mitigated against in the code.

[angvp]

How is that? please explain.

[Radobilly]

Maybe by brute forcing the default hs256 JWT_ALGORITHM as mentioned here and here

[angvp]

@Mahmoodi ? input please.

[klis87]

@Mahmoodi is right. Because JWT is saved in a cookie, it will be automatically sent with every request, causing successful authentication without any need to add JWT to request header by the application. Because of this, it is generally vulterable to CSRF in exactly the same way as usual cookie session, so actually there is no need to provide any example here as general CSRF vulnarability examples could be applied here.

[angvp]

Hey @klis87 thanks for jump in, yeah I got that from @Radobilly's links and some googling .. I will write some docs and will update this ticket so you can proofread and add/delete more info to the main docs.

[AdamStelmaszczyk]

Please correct me if I'm wrong, but seems to me that default Django CSRF protection, if used correctly, prevents problems:

https://docs.djangoproject.com/en/1.11/ref/csrf/

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage also says that:

Leveraging your web app framework’s CSRF protection makes cookies rock solid for storing a JWT.

Update:

Ah ok, I see one more thing now. Django's CSRF tokens will be generated if one has django.middleware.csrf.CsrfViewMiddleware, but they get ignored when using JSONWebTokenAuthentication. So yes, it looks like JWT cookie is vulnerable to CSRF.

[EduardoNogueira]

Any update on this?

[bmpenuelas]

I noticed this risk and created a pull request adding an option to handle csrf protection when using JWT in http-only cookie.

Now I see it's an open issue, for those interested, check out #434 and maybe we can close this.

[CapedHero]

Perhaps this post might be illuminating?

[bmpenuelas]

It is @CapedHero, that is the behaviour that you get when using #434.

[PaulDFPV]

As well as requiring CSRF protection, shouldn't JWT_AUTH_COOKIE also be set with the Secure flag?

[bmpenuelas]

The Secure flag prevents the cookie from being sent over non-https connections, protecting it from eavesdropping among other things. Some users might want to protect their apps from CSRF and XSS while allowing them to work over http. In that case, the Secure flag would not be a suitable choice.

That said, using https and the Secure flag is of course advisable whenever possible.

[PaulDFPV]

Perhaps use the Secure flag by default and have an option to turn it off then?

[pou426]

There is currently no way to customise the cookie settings. It would be really useful to have the choice to set them, especially the secure and samesite flags. Thanks!

[bmpenuelas]

Yes @pou426 you can customize it the way you want using CSRF_COOKIE_SECURE and CSRF_COOKIE_SAMESITE respectively.