From d63cd9ecea71ff236b7f5f614f00f17634bd07db Mon Sep 17 00:00:00 2001 From: Marco Bungart Date: Tue, 21 Feb 2023 11:45:20 +0100 Subject: [PATCH] Improved CSRF documentation by specifying that the Double Submit Cookie Prevention is implemented, and detailed how it is implemented. --- docs/src/main/asciidoc/security-csrf-prevention.adoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/src/main/asciidoc/security-csrf-prevention.adoc b/docs/src/main/asciidoc/security-csrf-prevention.adoc index 73108c11048780..c3997a87298613 100644 --- a/docs/src/main/asciidoc/security-csrf-prevention.adoc +++ b/docs/src/main/asciidoc/security-csrf-prevention.adoc @@ -9,7 +9,12 @@ include::_attributes.adoc[] https://owasp.org/www-community/attacks/csrf[Cross-Site Request Forgery (CSRF)] is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. -Quarkus Security provides a CSRF prevention feature which consists of a xref:resteasy-reactive.adoc[RESTEasy Reactive] server filter which creates and verifies CSRF tokens in `application/x-www-form-urlencoded` and `multipart/form-data` forms and a Qute HTML form parameter provider which supports the xref:qute-reference.adoc#injecting-beans-directly-in-templates[injection of CSRF tokens in Qute templates]. +Quarkus Security provides the https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie[Double Submit Cookie CSRF prevention]. This prevention requires that the CSRF token is never directly exposed to scripts executed on the client-side. In this extension, the CSRF token is: + +* sent as `HTTPOnly` cookie to the client, and +* directly embedded in a hidden form input of server-side rendered forms, that are transmitted to and used by the client. + +Thus, the extension consists of a xref:resteasy-reactive.adoc[RESTEasy Reactive] server filter which creates and verifies CSRF tokens in `application/x-www-form-urlencoded` and `multipart/form-data` forms and a Qute HTML form parameter provider which supports the xref:qute-reference.adoc#injecting-beans-directly-in-templates[injection of CSRF tokens in Qute templates]. == Creating the Project