Gherman
Gherman

Reputation: 7436

Are there CSRF attacks that don't use cookies?

Suppose an HTTP-server reads virtually no data from cookies at all. All data comes from different parts of request: headers, body, url, etc. Does this fact guarantee there can be no CSRF-attacks?

Upvotes: 2

Views: 48

Answers (1)

Gabor Lengyel
Gabor Lengyel

Reputation: 15589

CSRF does not need cookies specifically. It needs authentication that is sent by a browser automatically. Other such forms of authentication include http basic auth and client certificates for example.

If a specific http header is used for authorization (eg. a bearer token), that effectively prevents CSRF.

Upvotes: 1

Related Questions