๐ฆ๐๐ผ๐ฝ ๐๐ฆ๐ฅ๐ ๐๐๐๐ฎ๐ฐ๐ธ๐ ๐๐ป ๐ฌ๐ผ๐๐ฟ ๐ฃ๐๐ฃ ๐๐ฑ๐บ๐ถ๐ป ๐ฃ๐ฎ๐ป๐ฒ๐น
A researcher hacked my admin panel. He used a fake form. I was logged in. He published a video without my knowledge. This is CSRF.
Session tokens often break with page caching. They also break when you open multiple tabs. Double-submit cookies solve this.
The process is simple.
- The server sets a random value in a cookie.
- Your browser sends it back in a header.
- The server checks if they match.
Attackers are unable to read your cookies. They fail to match the value. The request fails.
Follow these rules for your code:
- Use hash_equals for secrets. Standard comparison leaks timing data.
- Put the check in your dispatcher. This makes security the default.
- Use HMAC signatures for subdomains. This stops cookie tossing.
- Use the __Host- cookie prefix. This blocks other hosts from setting your cookie.
Follow these operational rules:
- Do not cache admin pages.
- Clear cookies on logout.
- Test with curl in your CI pipeline.
Secure your admin panel before someone else does.