CSRF protection
Opened this issue · 1 comments
madwizard-thomas commented
Would it be necessary to protect the POST requests in this library with a CSRF token? The response can't be read from other security contexts but it might still be abused to wrongly trigger risk engines.
apowers313 commented
I've been thinking about that. I don't think it's direct attack, because the result messages contain a random challenge already (as part of the FIDO / WebAuthn protocol). But you may be right that the day a risk engine gets hooked up to this, it's possible to inject noise / increase risk scores through CSRF. Not an attack on its own, but perhaps part of a broader broader attack.
I aspire to write a XACML-style policy engine and an risk engine some day, so maybe this comes in to play as part of that.