Skip to content

Commit

Permalink
Improved CSRF documentation by specifying that the Double Submit Cook…
Browse files Browse the repository at this point in the history
…ie Prevention is implemented, and detailed how it is implemented.
  • Loading branch information
turing85 committed Feb 21, 2023
1 parent d6ceae4 commit d63cd9e
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion docs/src/main/asciidoc/security-csrf-prevention.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,12 @@ include::_attributes.adoc[]

https://owasp.org/www-community/attacks/csrf[Cross-Site Request Forgery (CSRF)] is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

Quarkus Security provides a CSRF prevention feature which consists of a xref:resteasy-reactive.adoc[RESTEasy Reactive] server filter which creates and verifies CSRF tokens in `application/x-www-form-urlencoded` and `multipart/form-data` forms and a Qute HTML form parameter provider which supports the xref:qute-reference.adoc#injecting-beans-directly-in-templates[injection of CSRF tokens in Qute templates].
Quarkus Security provides the https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie[Double Submit Cookie CSRF prevention]. This prevention requires that the CSRF token is never directly exposed to scripts executed on the client-side. In this extension, the CSRF token is:

* sent as `HTTPOnly` cookie to the client, and
* directly embedded in a hidden form input of server-side rendered forms, that are transmitted to and used by the client.
Thus, the extension consists of a xref:resteasy-reactive.adoc[RESTEasy Reactive] server filter which creates and verifies CSRF tokens in `application/x-www-form-urlencoded` and `multipart/form-data` forms and a Qute HTML form parameter provider which supports the xref:qute-reference.adoc#injecting-beans-directly-in-templates[injection of CSRF tokens in Qute templates].

== Creating the Project

Expand Down

0 comments on commit d63cd9e

Please sign in to comment.