⚠️ This post links to an external website. ⚠️
Phoenix projects created with
mix phx.neware protected from Cross-Site Request Forgery (CSRF) attacks by CSRF tokens.While simple & effective, CSRF tokens have some annoying downsides:
- They have to be included in every ‘unsafe’ request (e.g. POST, PUT, DELETE, etc.)
- Tokens included in a page’s HTML must be masked as a countermeasure against BREACH
- Tokens become invalid if the user’s session expires or is cleared (e.g. on login/logout)
The good news is that since 2023, all major browsers send a Sec-Fetch-Site header with every request, which lets web servers determine whether the request is cross-origin.
Filippo Valsorda, Go cryptography maintainer, implemented Go v1.25’s
CrossOriginProtectionmiddleware usingSec-Fetch-SiteandOriginheaders. By reading through Filippo’s notes on how this middleware works andCrossOriginProtection’s source code, I was able to write aSec-Fetch-Sitebased Plug for CSRF protection that I use in my Phoenix apps.
continue reading on mediremi.com
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.