I am writing an application (Django, it so happens) and I just want an idea of what actually a "CSRF token" is and how it protects the data.
Is the post data not safe if you do not use CSRF tokens?
csrf
I am writing an application (Django, it so happens) and I just want an idea of what actually a "CSRF token" is and how it protects the data.
Is the post data not safe if you do not use CSRF tokens?
Best Answer
Cross-Site Request Forgery (CSRF) in simple words
www.mybank.com
mybank.com
will result in a request of (conceptually) the formhttp://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>
. (Your account number is not needed, because it is implied by your login.)www.cute-cat-pictures.org
, not knowing that it is a malicious site.mybank.com
(requires some luck!), they could include on their page a request likehttp://www.mybank.com/transfer?to=123456;amount=10000
(where123456
is the number of their Cayman Islands account and10000
is an amount that you previously thought you were glad to possess).www.cute-cat-pictures.org
page, so your browser will make that request.www.mybank.com
cookie and it will look perfectly legitimate. There goes your money!This is the world without CSRF tokens.
Now for the better one with CSRF tokens:
http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971
.mybank.com
will include on their own web page when they serve it to you. It is different each time they serve any page to anybody.www.mybank.com
.Result: You keep your
10000
monetary units. I suggest you donate some of that to Wikipedia.(Your mileage may vary.)
EDIT from comment worth reading by SOFe: