/nextjs-csrf

Primary LanguageTypeScript

Nextjs CSRF POC (Proof of Concept)

Demo

According to wikipedia

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

Just a bare minimal implementation using csrf token with nextjs

Module i used

There are some rules in this case

  • Csrf secret stored in _csrf cookie.
  • Csrf token stored in x-xsrf-token cookie, latter to be used for XHR/API call.
    • In this case i will use axios for calling api since the module has built action for carries x-xsrf-token automatically
  • Restriction only applied on /api/* path
  • Csrf token also available in req.token if you decide to put the token into pageProps by using getServerSideProps