Anthony Ferrara wrote on his blog few steps to prevent CSRF attacks, also as a follow-up to a discussion previously started on this blog and on twitter also. First he defined the five types of request forgery attacks :
- From A JS Injection On The Target Site
- From A Man-In-The-Middle Attack
- From A Replay Attack
- From A Browser-In-The-Middle Attack
- and From Another Site
The first step to prevent from CSRF is to include a hidden token in any sensitive form submissions, the second step is an improvement by changing this token for each request, and the third one is to store the token in the user’s session data, and invalidate it when we see it next. Which makes the token a nonce (a number used once) and efficiently prevent against all kind of CSRF attacks.