| ▲ | AgentME 7 days ago | |
It's very nice to have an up-to-date writeup like this. I've gotten some odd looks for telling people that classic CSRF tokens are unnecessary work since the Origin header became widely supported, and I'm glad to have a page like this to refer people to. | ||
| ▲ | nchmy 6 days ago | parent [-] | |
A few more links that I collected recently on the topic https://github.com/golang/go/issues/73626 https://developer.mozilla.org/en-US/docs/Web/Security/Attack... https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/... https://web.dev/articles/fetch-metadata https://appliedgo.net/spotlight/csrf-dont-mess-with-my-site/ And some older ones that focused on Origin header rather than sec-fetch-* https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with... | ||