DEV Community

Clavin June
Clavin June

Posted on

Do I Need CSRF Token?

Do I need to implement CSRF Token even though my backend and frontend apps are seperated?

Top comments (7)

Collapse
 
particleflux profile image
Stefan Linke

Yes. CSRF has nothing to do with a common codebase. It protects actions against backend of being involuntarily triggered.

Like, for example, an embedded "image" here in a comment, which triggers a logout for everyone seeing it. (Not actually possible, since logout is CSRF protected in this case)

Collapse
 
clavinjune profile image
Clavin June

but I don't think logout is harmful, can u gimme another example pls?

Collapse
 
particleflux profile image
Stefan Linke

Hm, that was a bad example.

Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.

Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.

See owasp.org/www-community/attacks/csrf for more information

Thread Thread
 
clavinjune profile image
Clavin June

I see, that's make sense. That's why CSRF Token will be regenerated for every request. Thanks, gonna read that soon

Thread Thread
 
clavinjune profile image
Clavin June

but, what if I alr handle that using token based auth? do I still need that?

Collapse
 
ricardosawir profile image
Ricardo Sawir

login submit involuntarily

Thread Thread
 
clavinjune profile image
Clavin June

it can't be triggered if there's no valid creds and the resources is protected with token based auth