CSRF

Adding CSRF protection to forms.

status: accepted

Context

You can learn all about Cross-Site Request Forgery from EpicWeb.dev's forms workshop. The TL;DR idea is that a malicious adversary can trick a user into making a request to your server that they did not intend to make. This can be used to make requests to your server that can do anything that the user can do.

To defend against this attack, we need to ensure that the request is coming from a page that we control. We do this by adding a CSRF token to the page and checking that the token is present in the request. The token is generated by our own server and stored in an HTTP-only cookie. This means that it can't be accessed by third parties, but it will be sent with every request to our server. We also send that same token within the form submission and then check that the token in the form matches the token in the cookie.

Once set up, this is a fairly straightforward thing to do and there are great tools to help us do it (remix-utils specifically).

Decision

We'll implement CSRF protection to all our authenticated forms.

Consequences

This is a tiny bit invasive to the code, but it doesn't add much complexity. It's certainly worth the added security.

Edit this page on

Copyright © 2023 Kent C Dodds