[security] One time form tokens
Martin Atkins
mart at degeneration.co.uk
Thu Apr 12 16:52:38 UTC 2007
Some good advice there, Gareth.
gaz_sec at hushmail.com wrote:
>
> Another useful tip for securing OpenID servers is to use referrer
> checking, now you might think that this is useless because the
> referrer can be faked. However in javascript it is more difficult
> for a hacker to fake the referrer header, as headers can't be
> easily sent with form posts so referrer checking can actually
> increase the security of your server and prevent some CSRF.
>
Be careful when using referrer checking, though.
Many people use filtering proxies or other similar software which blocks
the Referer header or alters it in some way. Behavior I've observed for
such software is often one of:
* Don't send the Referer header at all.
* Set the Referer to be whatever URL is being requested.
* Set the Referer to be the root of the site to which the request is
being sent.
So if you're going to do referrer checking, it's best to firstly limit
your checking to only ensuring that the hostname portion of the URL is
correct, and also to allow the request through if the Referer header is
completely absent. That will cover you for all of the above odd-ball
cases without reducing the advantages of the referrer checking.
More information about the security
mailing list