corscsrfsame-origin-policywebsecurity

Does a proper CORS setup prevent CSRF attack?


If CORS is properly setup on a server to only allow a certain origins to access the server,

Is this enough to prevent CSRF attacks?


Solution

  • To be more specific, it is easy to make the mistake of thinking that if evil.example cannot make a request to good.example due to CORS then CSRF is prevented. There are two problems being overlooked, however:

    1. CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.example make a request to good.example. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.

    2. Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.example that POSTs back to good.example will still work despite CORS.

    For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.