Reputation: 125
When should CSRF tokens be needed?
When deleting the list item, is it necessary to confirm that it is a correct request by using CSRF token ?
I think the csrf token necessity depends on the importance of the data to be deleted. I wonder my idea is correct?
<ul>
<li>item 1 <button type="button" onclick="deleteItem()">delete</button></li>
<li>item 2 <button type="button" onclick="deleteItem()">delete</button></li>
<li>item 3 <button type="button" onclick="deleteItem()">delete</button></li>
</ul>
Upvotes: 0
Views: 942
Answers (2)
Reputation: 3611
By default yoy should use CSRF validation every time you modify data. In reality this use ro be when you do POST, PUT, PATCH or DELETE request. In every case except from a GET request.
If you accept requests without a CSRF-token, it's possible for another website to make requests on behalf of the user, malicious intent or not.
Upvotes: 1
Reputation: 993
You only need csrf tokens when posting data. Typically a client side secret"token" in a form tag or when doing an ajax call to the back end.
Upvotes: 1
Related Questions
- What is a CSRF token? What is its importance and how does it work?
- Should CSRF protection token be given before authenticating?
- Why bother requiring CSRF token on POST requests?
- What is the sense of the CSRF Token protection?
- What is the sense of the CSRF-protection while using token in HTML
- Are csrf-tokens effective even when I can do this?
- No need for CSRF protection?
- CSRF protection: do we have to generate a token for every form?
- When its Necessary to Protect Forms with Token (CSRF attacks)?
- For securing forms, when do I issue the token?