preventing CSRF in a website POST request
Question
I need to refact but not so much a webapp (jsp without tag libraries) for prevent CSRF attack. I can't use an algorithm like describe here, but i think nonce id is the best solution for me: https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs Apply these arguments, is very expensive because i have to change all calling request (add a get for every Post and force client to do second call), so i decide to add an input hidden text box in all my jsp using a static include import, and a java Filter for matching session Nonce ID and request nonce ID. Is it my solution a good practice and an alternative to rest algorithm? Sorry for my bad english..
Thanks!
Roby
1 answers
solution1
0 2016-10-21 09:38:40
Your approach is called a honeypot captcha, which offers some protection but it is not close to safety. If you use this approach, then I, as a user will be able to edit your html and easily hack your site. Also, I can watch from the requests what is being sent and write my own program which will send you requests. So no, this is not a good approach on its own, but it is not a bad thing if you use it accompanied with real protection.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.