Implement anti csrf measures

This is done by using the "samesite" cookie attribute.
author: xXx-caillou-xXx 2017-11-24 14:03:37 +0100
committer: jvoisin 2017-11-24 14:03:37 +0100
commit: 5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree: 8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /doc/source/features.rst
parent: 79304a29661476dc75bba07c5a83133122bbcb5c (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 3643326..c4239e9 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -321,6 +321,20 @@ would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
+Protection against cross site request forgery
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Cross-site request forgery, sometimes abbreviated as *CSRF*,
+is when unauthorised commands are issued from a user that the application trusts.
+For example, if a user is authenticated on a banking website,
+an other site might present something like 
+``<img src="http://mybank.com/transfer?from=user&to=attack&amount=1337EUR">``,
+effectivement transfering money from the user's account to the attacker one.
+Snuffleupagus can prevent this (in `supported browsers <https://caniuse.com/#search=samesite>`__)
+by setting the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`__
+attribute on cookies.
 Dumping capabilities
 ^^^^^^^^^^^^^^^^^^^^
author	xXx-caillou-xXx	2017-11-24 14:03:37 +0100
committer	jvoisin	2017-11-24 14:03:37 +0100
commit	5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree	8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /doc/source/features.rst
parent	79304a29661476dc75bba07c5a83133122bbcb5c (diff)

diff --git a/doc/source/features.rst b/doc/source/features.rst index 3643326..c4239e9 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -321,6 +321,20 @@ would be to use a different user to run PHP than for administrating the website,
321	and using this feature to lock this up.	321	and using this feature to lock this up.
322		322
323		323
		324	Protection against cross site request forgery
		325	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		326
		327	Cross-site request forgery, sometimes abbreviated as CSRF,
		328	is when unauthorised commands are issued from a user that the application trusts.
		329	For example, if a user is authenticated on a banking website,
		330	an other site might present something like
		331	``<img src="http://mybank.com/transfer?from=user&to=attack&amount=1337EUR">``,
		332	effectivement transfering money from the user's account to the attacker one.
		333
		334	Snuffleupagus can prevent this (in `supported browsers <https://caniuse.com/#search=samesite>`__)
		335	by setting the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`__
		336	attribute on cookies.
		337
324		338
325	Dumping capabilities	339	Dumping capabilities
326	^^^^^^^^^^^^^^^^^^^^	340	^^^^^^^^^^^^^^^^^^^^