rfc: CSRF protection #879
rfc: CSRF protection #879
Conversation
|
I wonder if it would be better to make the option available under // astro.config.mjs
export default defineConfig({
security: {
csrfProtection: ["origin", "cookie"]
}
}) |
|
@florian-lefebvre that's a good suggestion. We do try to avoid nesting too early since we don't necessarily know if we'll ever add something like a |
|
I think CORS could be supported in the future as well but i can't see anything else rn |
|
@lilnasy do you envision some option for the CSP support? If so, we could add a top-level |
|
Not necessarily. It's too soon to say because it's only stage 1, but it's possible a solution could just work. I only envision a flag for backwards compatibility, and that's only if the picked solution can't be retrofitted. |
proposals/0046-csrf-protection.md
Outdated
|
|
||
| # Non-Goals | ||
|
|
||
| - Give the users the possibility to customise the implementation of the protection |
There was a problem hiding this comment.
I assume static support would be a non-goal here? We can only add CSRF protection to the routes that are handled by the Astro server, right?
There was a problem hiding this comment.
Yes, and the threat of CSRF is only relevant to data mutations, so I would think that this is okay.
|
|
||
| Most background is available here: https://owasp.org/www-community/attacks/csrf | ||
|
|
||
| Astro should provide some level of security to users. |
There was a problem hiding this comment.
Would love to discuss this! Obviously we should, but can we get more specific about what level of security we are able to provide and what must be left up to users? This RFC seems like a good reason to have that larger conversation.
There was a problem hiding this comment.
I am not good at writing, so if you have a better suggestion, I would really appreciate it
proposals/0046-csrf-protection.md
Outdated
|
|
||
| # Goals | ||
|
|
||
| - Add the required checks to prevent CSRF, probably via an option |
There was a problem hiding this comment.
I would expect a bit more detail here!
Here are some other potential goals to consider that may (not) be relevant:
- Automatically apply CSRF protection to all routes
- Allow users to configure CSRF protection per-route
- Enable CSRF protection by default (eventually)
- Only
pages/, or API endpoints too? - Only
server, orhybridtoo?
There was a problem hiding this comment.
I pushed two commits:
d25271b(#879) that clarifies the goalse299435(#879) that clarifies use cases
I wouldn't want to enable CSRF by default now because it could break users's applications. For the future, if we want to make it a default, I think it should require a separate discussion, outside of this RFC.
proposals/0046-csrf-protection.md
Outdated
| During the exploration phase, I found two ways to implement CSRF. | ||
|
|
||
| ## `"origin"` option | ||
|
|
||
| The header `origin` is a header that is preset and set by all modern browsers and there's no way to temper it. If the header `origin` won't match | ||
| the origin of the URL, Astro will return a 403. | ||
|
|
||
| This solution should fit most websites. | ||
|
|
||
| ## `"cookie"` option | ||
|
|
||
| The cookie solution is an alternative way to provide CSRF protection. It will be heavily inspired from [Angular](https://angular.io/guide/http-security-xsrf-protection). | ||
|
|
||
| When the first `GET` request to the application is sent, Astro will create a token that will be saved inside a cookie named `Astro-csrf-token`. This token will be read in the **known requests**. | ||
|
|
||
| This solution should fit more esoteric scenarios, where applications are behind reverse proxies. |
There was a problem hiding this comment.
This seems more like background than implementation. Can we automatically match the origin or does it require a user to configure the site? How would the cookie be generated? Is the cookie static or refreshed for each build?
|
In this commit |
proposals/0046-csrf-protection.md
Outdated
|
|
||
| The cookie solution is an alternative way to provide CSRF protection. It will be heavily inspired from [Angular](https://angular.io/guide/http-security-xsrf-protection). | ||
|
|
||
| When the **first** `GET` request is sent to the application, Astro will create a token that will be saved inside a cookie named `Astro-csrf-token`. This token will be read in the **known requests** and it doesn't match the expected value, it means that the request isn't genuine. |
There was a problem hiding this comment.
What is the **known requests**? Which requests are these that it's checked?
There was a problem hiding this comment.
They are mentioned in this paragraph, third sentence.
proposals/0046-csrf-protection.md
Outdated
|
|
||
| When the **first** `GET` request is sent to the application, Astro will create a token that will be saved inside a cookie named `Astro-csrf-token`. This token will be read in the **known requests** and it doesn't match the expected value, it means that the request isn't genuine. | ||
|
|
||
| The token must be unique for each user and must be verifiable by the server; his prevents the client from making up its own tokens. |
There was a problem hiding this comment.
I'm not sure how angular's approach works.
- From the sound of it, it seems stateful. Who writes the state, who reads the state, where does it go?
- The angular docs make mention of setting a custom header, implying they manage the client-side code that makes the request. Is astro going to offer a client-side
fetch()wrapper?
A few implementation details may help communicate the approach.
proposals/0046-csrf-protection.md
Outdated
| export default defineConfig({ | ||
| security: { | ||
| csrfProtection: { | ||
| cookie: ["cookie-name", "token-name"] |
There was a problem hiding this comment.
It comes across as odd that the token "name" is configurable because I don't think the token was introduced as a key-value pair.
Astro will create a token that will be saved inside a cookie named
Astro-csrf-token.
If "Astro-csrf-token" is the cookie name, the token is the value of that cookie, what's a token name?
Originally posted by @septatrix in withastro/astro#10678 (comment) |
|
@septatrix: have you read the RFC? The RFC proposes a cookie solution, it would be great if you could share your thoughts about that. |
|
@septatrix can you explain why this will break curl usage? Does curl not allow you to sit the origin header? |
|
Curl does allow setting headers but this has to be done manually, existing automation might fail and - as said above - this is not the case for everything. E.g. many load testing tools are very simplistic and do not allow setting headers. The cookie solution would still require changes to existing curl scripts and require one additional initial request to fetch the cookie. However, cookies are automatically handled by many other tools, especially client libraries in many programming languages establish session which store cookies between requests. |
|
One might also consider adding a configuration to the origin checking of how to treat requests with missing origin headers. To my knowledge this would apply to old browsers and most of non-browser tools. This would allow tools like curl et al to keep working while omitting the security checks for the fraction of users running very old browsers |
Co-authored-by: Arsh <69170106+lilnasy@users.noreply.github.com>
|
We decided to reduce the scope of the protection to the origin check only, hence the proposed configuration is also reduced. Changed applied in Also, this is a call for consensus! The RFC is ready to be shipped. |
|
Is it possible to opt-out of CSRF on a route basis? For example for webhooks like stripe |
No, it isn't possible at the moment. Do you have webhooks that send posts like they were forms? |
|
Not sure I understand what you mean. In the case of stripe, a webhook is a post route that accepts some data (through |
|
I understand now. I think it's a legitimate request, however, It can be implemented after this RFC lands |
|
I created a RFC so we don't don't forget #923 |
|
The final comment period has ended and this RFC is accepted. |
Summary
CSRF - Cross-site Request forgery - protection
Links