From 5a224ee0c92d1639395d6a0c629316ae64226125 Mon Sep 17 00:00:00 2001
From: xXx-caillou-xXx
Date: Fri, 24 Nov 2017 14:03:37 +0100
Subject: Implement anti csrf measures

This is done by using the "samesite" cookie attribute.---
 doc/source/features.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'doc/source/features.rst')

diff --git a/doc/source/features.rst b/doc/source/features.rst
index 3643326..c4239e9 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -321,6 +321,20 @@ would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
 
 
+Protection against cross site request forgery
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Cross-site request forgery, sometimes abbreviated as *CSRF*,
+is when unauthorised commands are issued from a user that the application trusts.
+For example, if a user is authenticated on a banking website,
+an other site might present something like 
+``<img src="http://mybank.com/transfer?from=user&to=attack&amount=1337EUR">``,
+effectivement transfering money from the user's account to the attacker one.
+
+Snuffleupagus can prevent this (in `supported browsers <https://caniuse.com/#search=samesite>`__)
+by setting the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`__
+attribute on cookies.
+
 
 Dumping capabilities
 ^^^^^^^^^^^^^^^^^^^^
-- 
cgit v1.3