Hi and welcome to my session on avoiding CSRF with Remix. This is a lightning talk, so we're going to go through this in a pretty whirlwind fashion. So let's start up by talking about what CSRF is. Like most security exploits, it's got an acronym and it stands for Cross-Site Request Forgery. And in this scenario, basically the attacker tricks the user into accessing the URL and then this URL will perform an action using their existing session.
So a simple example, or perhaps the worst example, is an image with a URL and that URL performs an action. So before you say, no, I want to write code like this, I've seen this in apps that I've audited, and obviously the first thing the user is doing wrong here is they're using get to perform some sort of action. But equally, this kind of exploit can be achieved even if it's using post. And we do that by having an iframe with a hidden height and width, and that embeds a separate URL. And in that URL we have the form, the post to that endpoint, and we have an onload function that submits it the second the form is loaded.
So let's talk about Remix a bit. Remix gets you thinking about actions in terms of the building blocks of the web, which is the HTML form element. And if you've been building apps with JavaScript, you've probably been using things like Fetch or Axios, and in these scenarios, of course, it protects you. Unless, of course, you're using access, allow origin, you know, star, and you're allowing credentials to come through. And in that case, you're in the same boat. So because we're submitting forms again via straight up, you know, multi-part form data, we need to think about Cross-Site Request Forgery.
So let's have a look at a simple Remix form example. We've got a primitive form here with a text field and a Submit button. We've got some sort of loader to check the user has got authenticated session because Cross-Site Request Forgery does require these to be logged in. You know, you're performing an action using their existing session that they didn't intend to do. And so we're not going to go into the details here, but yeah, the loader is making sure the user's got a session. We've then got an action in our component that does some sort of write to the database or similar. Something that performs some sort of action that, you know, can't be reversed. So how do you avoid Cross-Site Request Forgery with Remix in this scenario? Well, the first thing you should do is set the same site attribute on your cookies. So you can set that to lax, which will mean the browser will only send the cookies if it's a get request coming from another domain. Or you can set it to strict, which means it won't send any cookies for any requests that originate from another domain. So you might need to check whether you're using some sort of authentication flow that redirects to other sites as to which is the most appropriate for your site. But unfortunately, according to OWASP, this isn't enough and we shouldn't replace having a token. And the main reason for that is that only 93% of browsers support the same site attribute at this stage. We're almost there.
Comments