SECURITY: Is the csrf cookie enough to be safe against the CSRF attack? Shouldn't we also send a header in the call? Isn't that the CSRF point?

[frederikhors]

Is your feature request related to a problem? Please describe.

I'm using Kratos and Oathkeeper: what a joy!

I have a SPA (single page app).

The csrf and session cookie are there.

I call oathkeeper with those cookies only and it authenticates me against Kratos like well explained here.

Describe the solution you'd like

Should we send within each (POST or GET) call an header like X-CSRF-Token or something similar?

I think the csrf cookie is not enough for CSRF security attack (from what I understand by studying the problem).

Am I wrong?

[frederikhors]

More on this here: https://stackoverflow.com/a/34783845

An alternative approach (called the "Cookie-to-header token" pattern) is to set a Cookie once per session and the have JavaScript read that cookie and set a custom HTTP header (often called X-CSRF-TOKEN or X-XSRF-TOKEN or just XSRF-TOKEN) with that value. Any requests will send both the header (set by Javascript) and the cookie (set by the browser as a standard HTTP header) and then the server can check that value in the X-CSRF-TOKEN header matches the value in the cookie header. The idea being that only JavaScript run on the same domain would have access to the cookie, so JavaScript from another domain couldn't set this header to the right value (assuming the page is not vulnerable to XSS that would give access to this cookie). Even fake links (e.g. in a phishing email) would not work either, as even though they would appear to come from the right domain, only the cookie will be set but not X-CSRF-TOKEN header.

https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-header_token

[frederikhors]

@aeneasr Why are you closing it? Isn't that a serious security issue?

[frederikhors]

Can we add a way to check for CSRF header too?

[aeneasr]

No it really isn’t Ory Kratos‘ job nor is it possible to implement this. Ory Kratos doesn’t even speak GRPC. You need to solve this in your application. CSRF tokens are something to protect you from cross site request forgery. Authentication is letting a system know who you are. These are completely different things and it’s absolutely out of scope to be implemented in Ory Kratos.

[aeneasr]

I’m not mad by the way ;) It just wasn‘t clear what you wanted. Now that I understand that you want to protect your application from CSRF, and have not found an issue in Ory Kratos, it is clear what you wanted to say i. the original issue.

It’s great that you’re a fan! Sometimes these discussions (on a Sunday ;)) can stress out maintainers - sorry if the tone came on as harsh. I guess that’s the germaness in me ;)

Anyways, there really isn’t a way to do what you want for Ory Kratos and it’s not in the scope of the project.

However, adding CSRF protections is really easy as there are many libraries available that you can just include!

If you do find a CSRF issue in Ory Kratos itself please report it to the appropriate security channel. Thank you!

[frederikhors]

I understand what you meant. Thanks for the calm and fruitful response.

You are doing a wonderful job with Ory!

You are legends! Thanks so much!

[aeneasr]

Thank you @frederikhors :)