A simple plan of avoiding both CSRF attacks and XSS attacks to steal sessions by combining the security of httpOnly cookies over HTTPS/TLS and a hashed token passed back by the client on every request.
The idea is simple, the token can be stolen, but cannot be used unless the attacker also has the secret from the cookie. Likewise, the cookie cannot be used unless the hashed token is also sent.
Since the cookie is httpOnly over HTTPS/TLS, the attacker will never be able to steal the session for use in another client. This means the only attack left is to get the victim to perform actions with a successful XSS attack that can load the hashed token from wherever it is stored (or use the same AJAX request functions), and then it can perform actions (CSRF) using the victims browser (only).
This might seem like only a partial win, but a hack allowing arbitrary Javascript to run on your clients browsers (XSS) leaves you with unavoidably big issues anyway. Both CORS and CSP headers are recommended.
- https://github.com/rs/cors
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Based on a question by Magnus Jeffs Tovslid.