DEV Community

Clavin June
Clavin June

Posted on

Do I Need CSRF Token?

Do I need to implement CSRF Token even though my backend and frontend apps are seperated?

Discussion (7)

Collapse
particleflux profile image
Stefan Linke

Yes. CSRF has nothing to do with a common codebase. It protects actions against backend of being involuntarily triggered.

Like, for example, an embedded "image" here in a comment, which triggers a logout for everyone seeing it. (Not actually possible, since logout is CSRF protected in this case)

Collapse
clavinjune profile image
Clavin June Author

but I don't think logout is harmful, can u gimme another example pls?

Collapse
particleflux profile image
Stefan Linke

Hm, that was a bad example.

Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.

Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.

See owasp.org/www-community/attacks/csrf for more information

Thread Thread
clavinjune profile image
Clavin June Author

I see, that's make sense. That's why CSRF Token will be regenerated for every request. Thanks, gonna read that soon

Thread Thread
clavinjune profile image
Clavin June Author

but, what if I alr handle that using token based auth? do I still need that?

Collapse
ricardosawir profile image
Ricardo Sawir

login submit involuntarily

Thread Thread
clavinjune profile image
Clavin June Author

it can't be triggered if there's no valid creds and the resources is protected with token based auth