Cross Site Request Forgery (CSRF)

This note does not have a description yet.

Links to this note

• How Refresh Tokens Work

  A refresh token in an OAuth setup using Json Web Tokens (JWT) is used to request a new access token. Because access tokens are short lived (to minimize the impact of a token being exfiltrated), a long lived refresh token is commonly used to, for example, stay logged into an app rather than need to log in every n minutes (the length of the access token).

• Refresh Token Rotation Detects Token Theft

  When using refresh tokens to enable clients to get new access tokens one danger is that the longer-lived refresh token can be stolen and used to grant access to your application by an attacker. This is especially tricky in the browser where CSRF and XSS are commonplace.

• Cookies Set on a Public Suffix Domain Are Considered Cross-Origin

  Setting a cookie doesn’t always have the same behavior. If you set a cookie on a domain listed in the public suffix list using SameSite=strict, it will get blocked by CORS even if they request and the cookie are coming from the same domain.

• Block Old Browsers If You Use Samesite Cookies to Prevent CSRF

  One way to mitigate CSRF attacks is to only allow cookies to be forwarded along with a request if they are from the same site, SameSite=Lax or SameSite=Strict. However, not all browsers support this setting yet.