CSRF

[Kryptix]

How much work do you to stop CSRF? Like, I've made sure when changing passwords/e-mails (or anything related to account security) they have to confirm their own password so CSRF can't really do much.

 

I've got a header referral check on everything but this is really easy to spoof so without putting hidden tokens in each form is there any easier way?

 

I can't really be bothered and the worst thing they can do is get a user to post a spam post on my forum or something trivial.

 

How far do you take it?

[requinix]

The problem isn't that you're not using CSRF tokens,

I can't really be bothered

That is the problem. As a user I find it distressing when the person/people maintaining a site I use simply don't care. You just shrug off spam? That shows you have no interest in the health of the forum, and if you don't care then why should I?

[scootstah]

I validate CSRF for every POST request. If done properly it takes absolutely zero extra time to implement.

 

There's no excuses for not implementing CSRF.

[xyph]

My form class extends a token class I've made.

 

It was very little extra work for me to add tokens to my forms

 

I wouldn't call a CSRF header injection easy though. It's quite tricky to spoof the referrer of another client's browser. Many corporate proxies or paranoid users won't send the referrer header on a legit request, though.

[scootstah]

I wouldn't call a CSRF header injection easy though. It's quite tricky to spoof the referrer of another client's browser. Many corporate proxies or paranoid users won't send the referrer header on a legit request, though.

 

I feel that checking the referer is pointless because it can be spoofed. Plus, as you said, it might not even bet set.