This is probably a very simple question. I just want to make sure I correctly understand it:
If I disable CORS on my web server I am protected against CSRF(XSRF) attacks. Is that correct assumption?
Asked
Active
Viewed 348 times
1 Answers
1
Definitely not. The more likely attack vector for CSRF is for non-XHR requests (regular GET and POST), which aren't subject to CORS anyway. You need to check your URLs for the types of requests they allow, and protect accordingly. CORS actually makes this safer, if you can be sure it is being used.
Jake Feasel
- 16,785
- 5
- 53
- 66
-
For more on this I suggest reading one of my other answers on the topic: http://stackoverflow.com/a/20186782/808921 – Jake Feasel Jun 08 '15 at 01:16