It's very nice to have an up-to-date writeup like this. I've gotten some odd loo... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		AgentME 5 months ago \| parent \| context \| favorite \| on: Cross-Site Request Forgery It's very nice to have an up-to-date writeup like this. I've gotten some odd looks for telling people that classic CSRF tokens are unnecessary work since the Origin header became widely supported, and I'm glad to have a page like this to refer people to.

nchmy 5 months ago [–]

A few more links that I collected recently on the topic

https://github.com/golang/go/issues/73626

https://developer.mozilla.org/en-US/docs/Web/Security/Attack...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

https://web.dev/articles/fetch-metadata

https://appliedgo.net/spotlight/csrf-dont-mess-with-my-site/

And some older ones that focused on Origin header rather than sec-fetch-*

https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with...

https://www.brandur.org/fragments/origin

https://srungta.github.io/blog/start-right/ui-nonce

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact