CSRF protection #2906
Replies: 11 comments 8 replies
-
I'd still like an answer to this question. I won't be comfortable using Remix for a serious project until I know I can protect users from CSRF. Thanks. |
Beta Was this translation helpful? Give feedback.
-
I'll take a stab at answering this. The answer is that, even with classic forms, protection from CSRF falls on you to implement. Remix could do it for you, but since we have a number of implementation choices your mitigation might be different. Still, updating the docs on release would be helpful. Essentially for CSRF attacks you need three things: So let's talk about Remix here. We definitely have #1 with form actions. Not much to do there. #2 Cookie based session handling: Remix provides multiple ways to do session handling. If you use cookies, you can protect against this by setting SameSite=Strict on your session cookies. This prevents all requests coming from third party sites from attaching your session cookie, and you're safe. If you're using file based sessions, the session ID is the only thing stored in the cookie, and essentially acts as a CSRF token, since the session ID is also in the file on the server. You probably still need to check the two match when you call an action. Same thing if you implement database session storage. #3 No unpredictable request parameters: This one is up to you to implement, but you have options. If you're using cookies you should set sameSite=Strict in production, or have your Remix server generate a unique per user session CSRF token, and include that in your form as a hidden field. Then check that its valid in your form action. With file based or db based, you can implement CSRF token checks in your actions and store the token server side. Either way, assuming you behave responsibly, there is no reason Remix is more vulnerable to CSRF because of regular form actions. As I mentioned earlier though, the docs should be updated to discuss this, and I'm sure they will be once we've hit 1.0 |
Beta Was this translation helpful? Give feedback.
-
I'm shocked that this web framework uses HTML Forms, but does not protect against CSRF attacks by default. To make matters worse, the documentation does not even mention this. Where it does mention it, it is completely wrong
To reiterate for those in the back, using a I'm a long time user of frameworks like Symfony who provide CSRF protection out of the box and on by default. You have to explicitly disable the protection on a per-form basis. This is similar to React's built-in XSS protection and their extremely verbose method of bypassing it. The above comment is also incorrect because it assumes that I'm running a site on the internet rather than perhaps an intranet. Let's say I build a form for Example, Inc.'s internal intranet and it's hosted at Well one day I get an email to my personal email that all of our employees have been deleted from our database! How is that possible? Well... come to find out, one of our employees went to a competitor's website to do some price comparisons, they had a little snippet on their site that looks like this:
while they weren't able to read the response with JavaScript, the browser happily executed the request since it met the qualifications for a simple request. There are really only a few ways to protect against this:
If 2 is implemented, it needs to be well documented that the cookie should be excluded from caching decisions. You wouldn't want someone to always bypass the HTTP cache just because they happened to land on a page with a form. I can't recommend that anyone use this framework until this is fixed. Yes, engineers do (on occasion) need a way to opt-out of these protections, but by default they should be there. I'm really hoping this is resolved quickly because Remix does seem really great and I'm excited to make something with it! |
Beta Was this translation helpful? Give feedback.
-
Perhaps Remix is relying on the SameSite feature of cookies, now implemented in all modern browsers, for CSRF protection. That would be in keeping with the theme of being built on modern web fundamentals. |
Beta Was this translation helpful? Give feedback.
-
If that's the case, then it should be made explicit in the documentation, but in my example above, the |
Beta Was this translation helpful? Give feedback.
-
Maybe it could help someone :) https://sergiodxa.com/articles/adding-csrf-protection-to-remix Package here : https://github.com/sergiodxa/remix-utils |
Beta Was this translation helpful? Give feedback.
-
If using OAuth to start an authenticated session, one often has to use |
Beta Was this translation helpful? Give feedback.
-
It's important to note that SameSite cookies cannot be relied on for CSRF protection at this point in time. While 96% of browsers do support the SameSite cookie attribute, the 4% of browsers that don't will treat SameSite cookies as regular cookies; as a result voiding any protection that the SameSite attribute might have had. In addition, only 75% of browsers default to SameSite=Lax, leaving 25% still defaulting to SameSite=None. I'd strongly echo the sentiment of others here that have said that should be implemented by default as part of Remix. At the very least, it needs to be documented if Remix plans on relying on the SameSite attribute for CSRF protection - without further changes, I would definitely not consider the SameSite attribute to be reliable enough to be the only protection against CSRF attacks. There's some additional information on how effective the SameSite attribute is in this security stack exchange question that might also be interesting to some folks. Statistics last updated 2024-07-15. |
Beta Was this translation helpful? Give feedback.
-
Is there any plan to make CSRF tokens a default behaviour for forms? Coming from an SPA background and not using forms in a while, I honestly wouldn't even have considered this issue until stumbling upon it again today. For big frameworks, you kind of expect basic security concerns like this to be mitigated by default... |
Beta Was this translation helpful? Give feedback.
-
I saw a question about CSRF in Remix asked in the roadmap planning livestream today. Just wanted to follow up and say that @davidbarratt-drizly was right that this should have been called out in the documentation. It was added in August 2022 (over a year ago) |
Beta Was this translation helpful? Give feedback.
-
But SameSite=Lax won't protect from CSRF attack when user being redirected to website using form, it's not tricky to implement |
Beta Was this translation helpful? Give feedback.
-
Since Remix encourages the use of classic HTML form posts, I wonder if it has any sort of protection against cross-site request forgery. If so, I couldn't find anything about that in the docs.
Beta Was this translation helpful? Give feedback.
All reactions