Preventing CSRF when using Rust on Nails

[farazfazli]

Hey Ian!

I noticed in the examples for Rust on Nails that there isn't anything regarding preventing CSRF. I strongly feel we should add a section which mentions a crate such as https://crates.io/crates/axum_csrf to provide this functionality (since the guide is using axum).

Let me know your thoughts. I'm happy to add the section if you'd like me to.

[9876691]

That's a great suggestion.

So the current protection is as follows.

Threat Model

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Current Solution

When you login/register with barricade https://rust-on-nails.com/docs/auxiliary-services/authentication/ a cookie is set which is SameSite=Strict

This should be enough to prevent CSRF see https://security.stackexchange.com/questions/121971/will-same-site-cookies-be-sufficient-protection-against-csrf-and-xss

Another link here https://stephenreescarter.net/csrf-is-dead-long-live-samesite-lax/

Then I think https://crates.io/crates/axum_csrf would be useful as a defence in depth measure?

Let me know what you think and if you want to write a section that would be great :)

[farazfazli]

Thank you for the detailed response and for providing the helpful links. SameSite=Strict is definitely interesting.

I think the best course of action is that we explain 95%+ of browsers support this attribute (according to https://caniuse.com/same-site-cookie-attribute) and if someone wants to be extra cautious (or practice defense in depth, I like your word choice), they can integrate with the axum_csrf crate for CSRF tokens.

Let me know what you think about this approach. And yes, I'd be happy to write this up! :)

[9876691]

@farazfazli That sounds great and I really appreciate you taking the time to do this. Thanks.

[9876691]

One thing that's worth looking at is security from a pen testers perspective.

So here is the pen tester check list for web apps. https://pentestbook.six2dez.com/others/web-checklist

You can see the list is huge, so for cloak I have to check all those items and that's why developing secure applications is harder than people think.

[farazfazli]

Awesome - I'll begin writing it up and open a pull request once I have a draft.

Yes that's a huge list and a good reference. I agree that developing secure applications is harder than most people think. Even a technique such as RLS requires careful planning to do properly.