Mitigate CSRF Attacks by Setting the SameSite Cookie Flag in Express

Mike Sherov
InstructorMike Sherov
Share this video with your friends

Social Share Links

Send Tweet
Published 4 years ago
Updated 3 years ago

In this lesson, we'll learn what the SameSite cookie flag is, what it’s various settings are, and how it can be used to prevent most forms of CSRF vulnerabilities. We'll then demonstrate how it protects against the exploit we crafted in the previous lesson.

Instructor: [00:00] We discovered our site is vulnerable to CSRF attacks. If we log in to our site and then visit our evil.com site, which attempts to hack us, it can submit a message on our behalf. The reason this happens is because requests to our domain still include the session ID cookie even though they originate from the attacker's website.

[00:23] Fortunately, cookies now have a new property known as the SameSite property. The SameSite property determines whether a cookie will be allowed to be sent cross-site or not. The default value is none, which allows cross-site cookies, but now, we can switch the value to Lax.

[00:43] What Lax does is it says as long as the request method is GET, as opposed to POST or PUT or PATCH, and as long as the GET request is a top-level navigation, like following a link, then cookies will be sent. Otherwise, they won't.

[01:02] To see this in action, we'll restart our server, we'll clear our cookies for localhost.charlesproxy.com, and we'll switch back over to the network tab. When we refresh our site and inspect our request, we can see that the setcookie call is called with the SameSite=Lax.

[01:30] If we log back into our site and visit evil.com again and attempt to run our hack, we can see that the request was sent without our cookie. If we go back to localhost.charlesproxy.com and refresh, we see that we weren't hacked.

[01:55] Because our cookie is Lax, if we click the Go Back button, we see that we go back logged in. This is a top-level navigation using the GET method and works with SameSite Lax. If we change to Strict and clear our cookies again, log back in again, we see that not only does our hack not work, but also, if you click a link to go back to charlesproxy.com from evil.com, we'll land logged out.

[02:30] This is an effective CSRF mitigation with a good default of Lax. In fact, Lax is such a good default, it will become the default setting in Chrome 80, set to be released on February 4th, with Edge and Firefox following soon thereafter.

egghead
egghead
~ an hour ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today