Reputation: 93
Do I need CSRF tokens for WinForms?
If we are making a messenger program that requires a login and a password (and client and a server), then, I assume, we actually need a security token, exactly in the same way you would on the web.
In fact, if the client has a valid security token that it sends to the server to perform any action, then the fact that the token matched means that any action (even "delete my account") is valid (unless we have a really good hacker). Right?
Upvotes: 0
Views: 433
Answers (1)
Reputation: 48277
No, you don't. You only need csrf protection on web pages or http apis that are accessed using a web browser. It's a confused deputy attack, and the deputy is the browser. https://en.m.wikipedia.org/wiki/Confused_Deputy
If the remote login url is used by other apps that use a browser, then you would want csrf protection.
You do want to handle authentication and authorization correctly though. Please use a framework appropriate for your server environment. Hash passwords and use tls.
Upvotes: 1
Related Questions
- Do login forms need tokens against CSRF attacks?
- CSRF: Do I need to use CSRF token for no cookies site?
- Does public contact form require a CSRF token?
- ValidateAntiForgeryToken in WebForms Application
- asp.net webforms how to validate CSRF Token
- CSRF and ValidateAntiForgeryToken in ASP.Net mvc?
- how to use csrf token asp c#?
- CSRF protection: do we have to generate a token for every form?
- csrf token ,security issue?
- Do I need to use a 'nonce' token in ASP.NET WebForms to guard against CSRF?