Tips on CSRF security

[jamesli2021]

I have been researched on Origin Header which I'm unsure whether I'm implementing it correctly to harden site security.

As the basic
Go with GET method to /gettoken endpoint:

func getTokenHandler(c echo.Context) error {
	csrf, ok := c.Get("csrf").(string)
	if !ok {
		return ""
	}
	return c.JSON(http.StatusOK, map[string]string{"csrfToken": csrf})
}

On the fontend, the endpoint get CSRF token and add it to hidden input field within the login

.

<script>
const r: any = await fetch('/gettoken',{
  method: 'GET',
  headers: {
    'Accept': 'application/json',
  },
});
if (r.status !== 200) {
  throw new Error('Failed to fetch CSRF token');
}
const m = await r.json();
const x = document.getElementById('cic') as HTMLInputElement;
x && (x.value = m.csrfToken);
</script>

1. If Origin Header without CSRF is sufficient?
2. Is CSRF in Echo is synchronous token?
3. Is Cookies Signing on csrf with unique/secret value only for non-logged user can make hacking more difficult?

[aldas]

About Origin, maybe this helps https://stackoverflow.com/questions/24680302/csrf-protection-with-cors-origin-header-vs-csrf-token
NB: also check the "Linked" question block on the right side

[jamesli2021]

From my understanding if both CSRF token in HTML and cookie header has the same value, that seems attackers could easily gained hold of the new generated token through GET endpint, do you think double CSRF submit could be implement for Echo?

[aldas]

You can set expire time

echo/middleware/csrf.go

Line 50 in 69a0de8

CookieMaxAge int `yaml:"cookie_max_age"`

when cookie expires the browser will not (typically) send that cookie anymore thus triggering recreation of that cookie in CSRF middleware

[jamesli2021]

But we can't get expiry time to avoid losing users' unsaved draft.

[aldas]

You can set multiple cookies. One to store values related to data and one related to csrf token

[jamesli2021]

I have no idea on the multiple cookies, how do I store values related to data if e.g. has a title, description, other complex inputs?

Or another idea, I could reissue new CSRF token to extend 24 hours whenever user create or retrieve post?