Reputation: 3050
No need for CSRF protection?
Quote:
The web has changed a lot since CSRF was a "big thing", and tactics used with CSRF attacks are becoming outdated.
I personally don't protect against CSRF, mainly because I don't use blatantly insecure methods of authentication.
Does he make any sense?
Please provide me with some arguments If I am correct, why this guy is being (stubborn?) or not thinking clearly as I am trying to make a point, but I am actually not hundred about to how to express it...
Upvotes: 0
Views: 117
Answers (1)
Reputation: 536725
There is no sense in the quoted argument as-is, but presumably there is some other context we are missing.
It is unclear what form of authentication your colleague is proposing that would be 'not blatantly insecure', free from CSRF issues.
There are some possibilities, for example in a fully AJAX-driven app you might be passing in an auth token as an input parameter instead of relying on a session. In that case you wouldn't need an additional anti-CSRF measure as the auth token would already be a secret unavailable to attackers.
But CSRF in general has not gone away; browsers have not grown magic features to stop it happening. For the typical model of webapp that uses a browser-persistent authentication model (cookies, HTTP Authentication), you definitely still need to address it in some way.
Upvotes: 5
Related Questions
- Do I need CSRF-protection without users or login?
- Do we need CSRF protection for public URLs
- Why bother requiring CSRF token on POST requests?
- Preventing CSRF?
- When should CSRF tokens be needed?
- Do I need to enable CSRF protection?
- CSRF and Ajax: Do I need protection?
- Is CSRF protection for side effect free GET requests needed?
- CSRF protection: do we have to generate a token for every form?
- Does anyone see any downsides of doing the following to prevent CSRF?