Is CORS configuration the only CSRF countermeasure for Rails API x Next?

Asked 1 years ago, Updated 1 years ago, 307 views

In the Rails API x Next configuration, we plan to use session cookies to manage the login status.
In this case, just setting up CORS on the Rails API is enough to ensure CSRF countermeasures?

If CORS is set up, it will prevent requests from malicious external sites (different origin), so I wonder if I can make counterfeit requests using session cookies.
I would appreciate it if you could let me know if anyone knows more about it.

ruby-on-rails security nextjs cors

2022-11-27 17:13

1 Answers

That CORS is not a countermeasure against CSRF (or what CORS is not)
https://qiita.com/netebakari/items/41baa7e1d0b8d89f9d12

CORS is not intended to prevent users from making unintended requests, but to prevent malicious JavaScript code from referring to the returned values.The request itself can occur as many times as you want, so you cannot take CSRF measures without server validation.

2022-11-27 22:59

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

520 Scrap text information after the "View More" button when searching in the Yahoo! News search window

515 PHP ssh2_scp_send fails to send files as intended

928 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

495 No exact matches in call to instance method 'append'

504 Understanding How to Configure Google API Key

© 2024 OneMinuteCode. All rights reserved.