App Firewall Settings
Cross-site Request Forgery
Cross-site request forgery (CSRF) attacks trick the victim’s browser into executing unwanted actions on a web application in which the victim is currently authenticated.
WAAS mitigates CSRF attacks by intercepting responses and setting the ‘SameSite’ cookie attribute value to ‘strict’.
The ‘SameSite’ attribute prevents browsers from sending the cookie along with cross-site requests.
It only permits the cookie to be sent along with same-site requests.
There are several techniques for mitigating CSRF, including synchronizer (anti-CSRF) tokens, which developers must implement as part of your web application.
The synchronizer token pattern generates random challenge tokens associated with a user’s session.
These tokens are inserted into forms as a hidden field, to be submitted along with your forms.
If the server cannot validate the token, the server rejects the requested action.
The SameSite cookie attribute works as a complementary defense against CSRF, and helps mitigate against things such as faulty implementation of the synchronizer token pattern.
-
When the SameSite attribute is not set, the cookie is always sent.
-
With SameSite attribute set to strict, the cookie is never sent in cross-site requests.
-
With SameSite attribute set to lax, the cookie is only sent on same-site requests or top-level navigation with a safe HTTP method, such as GET.
It is not sent with cross-domain POST requests or when loading the site in a cross-origin frame.
It is sent when you navigate to a site by clicking on a <a href=…> link that changes the URL in your browser’s address bar.
-
Chrome 61 or later.
-
Firefox 58 or later.
For more information about the SameSite attribute, see https://tools.ietf.org/html/draft-west-first-party-cookies-07