ASP.NET anitforgery token is only works with POST method. But for GET methods which are used to fetch some sensitive information, how we can avoid CSRF?
Asked
Active
Viewed 565 times
1
-
There is already a thread on this topic with some interesting information provided. It say's ASP.NET MVC 3 but it would still apply to current Versions. http://stackoverflow.com/questions/4914994/using-mvc3s-antiforgerytoken-in-http-get-to-avoid-javascript-csrf-vulnerability – thmshd Mar 09 '17 at 12:49
-
Will same orgine policy will help? – Saravana Manikandan Mar 09 '17 at 12:50
-
1With security, the question is often, how high you set the bar for possible attackers. Applying the same origin policy it's a good step towards securing your app in general, but from my understanding it's not a bulletproof solution. Further reads http://security.stackexchange.com/questions/16204/why-doesnt-the-same-origin-policy-block-get-requests-that-contain-arguments and http://stackoverflow.com/questions/33261244/why-same-origin-policy-isnt-enough-to-prevent-csrf-attacks – thmshd Mar 09 '17 at 13:02
-
Thanks thomashaid. One small doubt on Same origine policy. If we implement Same origine policy then all the AJAX POST and GET requests will be restricted to same domain right? or Only GET requests will be restricted? – Saravana Manikandan Mar 09 '17 at 13:18