๐ฆ๐๐ผ๐ฝ ๐๐ฆ๐ฅ๐ ๐๐๐๐ฎ๐ฐ๐ธ๐ ๐๐ป ๐ฌ๐ผ๐๐ฟ ๐ฃ๐๐ฃ ๐๐ฑ๐บ๐ถ๐ป ๐ฃ๐ฎ๐ป๐ฒ๐น
A researcher found a hole in my admin panel. He published a video to the front page using a fake form. He did not need a password. This is CSRF.
Standard tokens failed for two reasons.
- Caching. LiteSpeed cache makes tokens stale.
- Tabs. Editors use many tabs. Rotating tokens cause 403 errors.
I used double-submit cookies instead.
- Server sets a random cookie.
- Client sends the value back in a header.
- Server checks if they match.
- Browsers stop attackers from reading the cookie.
Plain cookies have one flaw. Subdomains send fake cookies. I fixed this with two steps.
- HMAC signatures. This binds the token to the session.
- __Host- prefix. This stops other subdomains from setting the cookie.
Follow these rules for your code.
- Put checks in the dispatcher. This makes security the default.
- Use hash_equals. It stops timing attacks.
- Disable caching for admin pages.
The researcher now gets a 403 error. Your admin panel must be secure by default.