DEV Community

Discussion on: Block malicious login attempts, but preventing account lock-outs.

 
tarialfaro profile image
Tari R. Alfaro

Also, I don't think CSRF tokens should be the only solution to this issue. What if we're building a RESTful HTTPS API and not a website? Then aren't the CSRF tokens useless?

Thread Thread
 
artis3n profile image
Ari Kalfus • Edited

CSRF will prevent malicious actions like trying to log into someone else's account. A bot could still script it's way into creating an account on your website by taking valid, automated actions. You could do something like Google captcha, but that's such an annoying user experience. Requiring users to confirm account creation via email link is a decent way to stop most bots.

Thread Thread
 
artis3n profile image
Ari Kalfus

Yes, CSRF is not valid if there is no browser involved, as it abuses default browser behavior. Some out-of-band authentication method, like verifying your account creation via email, can help prevent spamming. It doesn't block those attempts, however. Just presents them from working.

Thread Thread
 
artis3n profile image
Ari Kalfus

Also, 2FA is the best way to stop bots IMO. Works as an additional layer of defense against someone malicious trying to log into a user's account as well.

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

If CSRF token could prevent automated logins, wouldn't it also protect against automated registering?