Reputation: 4784
CSRF Protection on static pages
I have a static site which has forms. The forms submits to a Rails endpoint which captures the submitted data. The static site and the Rails endpoint are on the same domain, on different subdomains and all traffic is completely on HTTPS.
I understand how Rails CSRF works for server generated forms. But in my case, these forms are on static HTML pages. I understand all request headers can be faked, so can't rely on that.
If a strong solution is not possible for this scenario then my last option would be to move to server generated forms (which I want to avoid for now).
Any suggestions on a good approach to this would be most welcome. Or any pointers to a system or a library which already does this.
Thanks
Upvotes: 2
Views: 1522
Answers (1)
Reputation: 67029
I recommend reading the CSRF prevention cheat sheet.
There are two static methods that can be used.
1)Use JavaScript to fetch the token and rewrite the static HTML page to include the nonce.
2)Check the Referer and Origin headers
Upvotes: 2
Related Questions
- How to protect against CSRF on a static site?
- Disable CSRF SiteWide
- Rails 3.2 - Disable CSRF Protection for controller action
- Rails 3 protect_from_forgery not working correctly?
- CSRF Protection with HTTP GET requests in Rails
- How do I turn off CSRF protection in a rails app?
- CSRF not working in Rails?
- Is the Rails default CSRF protection insecure?
- How does Rails CSRF protection work?
- CSRF protection and cross site form access