Not secure, will Fail. How to stop CSRF exploits? TLDR edition

How to stop CSRF exploits?

What changes to the HTTP protocol spec, and to browser behaviour, would be required to prevent dangerous cases of cross-site request forgery?

I am not looking for suggestions as to how to patch my own web app. There are millions of vulnerable web apps and forms. It would be easier to change HTTP and the browsers.

If you agree, please tell me what changes to the HTTP protocol and browser behaviour are needed.  Here are my ideas:

– cookies should be declared ‘local’ (default) or ‘remote’
– the browser must not send ‘local’ cookies with a cross-site request
– the browser must never send http-auth headers with a cross-site request
– the browser must not send a cross-site POST or GET ?query without permission
– the browser must report and control attacks, where many cross-site requests are made
– the browser should send ‘Origin: (local|remote)’, even if ‘Referer’ is disabled
– other common web security issues such as XSHM should be addressed in the HTTP spec
– a new HTTP protocol version 1.2 is needed, to show that a browser is conforming
– browsers should update automatically to meet new security requirements, or warn the user

background: http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Not secure, will Fail. How to stop CSRF exploits? TLDR edition

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s