Reputation: 4799
Why not include CSRF protection for GET apis?
I was reading up on CSRF and came across this question: https://security.stackexchange.com/questions/36671/csrf-token-in-get-request
Multiple people online have also seem to indicate that one should not protect GET requests against CSRF. However, I am confused by why.
If your GET request contains sensitive information (like say personal info for a user), then you would want to protect it against CSRF right? Otherwise an attacker can steal personal info.
I get that you shouldn't include the token in the GET URL because those may be logged. However, can't you just include them in a custom header?
Upvotes: 0
Views: 301
Answers (1)
Reputation: 1461
CRSF attacks are blind. They typically send a request without being able to read the result of the action. The reason here is the Same Origin Policy.
SOP prevents you from reading RESPONSES received by other origins, meaning that you can't access the private stuff anyways.
CRSF protection instead protects REQUESTS in the sense that it adds a token which symbolizes that the request is started by the web app itself
Upvotes: 3
Related Questions
- why no csrf for GET requests
- CSRF - Is it safe to ask it with api call?
- Security against CSRF attacks via GET requests?
- Why bother requiring CSRF token on POST requests?
- Is it a risk to put the CSRF Token in a GET request URL?
- API CSRF protection
- Is CSRF protection for side effect free GET requests needed?
- Protect APIs against CSRF?
- CSRF prevention for GET requests
- No need for CSRF protection?