In this post I explore what are the options to mitigate Cross-Site Request Forgery vulnerability for same-site and for legitime cross-site requests of Single Page Application.
Imagine you wake up one day and realize that someone has stolen your internet domain. Exactly this was the case of designer David Airey a couple of years ago. An attacker who exploited Gmail’s CSRF vulnerability, got control over David Airey’s mailbox and contacted the domain registrar in his name.
In past years CSRF gained awareness, so modern frameworks nowadays have built-in protection mechanisms.
A common case is that a web site is served from the same domain (that is origin), as is the target domain of requests site makes. But, this is not always the case, and such a scenario is in particular vulnerable for CSRF.
In this post I explore what are the options to mitigate CSRF vulnerability for same-site and for legitime cross-site requests of Single Page Application. Code examples in this blog are for a Single Page Application written in Angular with Spring at the server side, however the principles should hold true for other frameworks as well.