Do we need CSRF protection for public URLs

Question

I have a web app, that does not have any forms (Disabled all form requests in web server). It has only few public URLs ( with some GET params in URL). There is not login and it does not use any cookies.

Do I need CSRF protection for this web app?

Answer 1

CSRF protection is usually geared towards forms where you want to ensure users are submitting requests originated from your own site (ie. not some <img> tag exploit on another site). Also, a CSRF token is only a small barrier of protection if you are using it on public pages. Meaning, an attacker can always regularly DOM scrape your site and grab a token to use on their own site, since the pages are public. It is more work the attacker will have to do, but still publicly available for the attacker. CSRF tokens are really intended for forms on private (behind a login) pages.

Answer 2

XSRF or CSRF protection is only needed for domains that use cookies. Every request to your site carries your cookies even if the request comes from a web page not controlled by you. It is most important when you are modifying state on the server but there are cases where it can be useful even in cases where state is not changed.

http://j.mp/learn-xsrf contains a short tutorial on XSRF and how to avoid it, and allows you to actually try it out.

An example of where you might have XSRF vulnerability with a non-state changing request is if you have an image that users see to identify that they are on your authentic site. Some banks do this and the image is different for each user. However, if that image is served with a static url that is cookie-dependent it is vulnerable to XSRF and can be easily hosted on an attacker's site. You can avoid the problem by including an XSRF token in the url. (Just using a different url for each user would not be sufficient.)