-
Notifications
You must be signed in to change notification settings - Fork 2.5k
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF protection #82
Comments
I'd still like an answer to this question. I won't be comfortable using Remix for a serious project until I know I can protect users from CSRF. Thanks. |
I'll take a stab at answering this. The answer is that, even with classic forms, protection from CSRF falls on you to implement. Remix could do it for you, but since we have a number of implementation choices your mitigation might be different. Still, updating the docs on release would be helpful. Essentially for CSRF attacks you need three things: So let's talk about Remix here. We definitely have #1 with form actions. Not much to do there. #2 Cookie based session handling: Remix provides multiple ways to do session handling. If you use cookies, you can protect against this by setting SameSite=Strict on your session cookies. This prevents all requests coming from third party sites from attaching your session cookie, and you're safe. If you're using file based sessions, the session ID is the only thing stored in the cookie, and essentially acts as a CSRF token, since the session ID is also in the file on the server. You probably still need to check the two match when you call an action. Same thing if you implement database session storage. #3 No unpredictable request parameters: This one is up to you to implement, but you have options. If you're using cookies you should set sameSite=Strict in production, or have your Remix server generate a unique per user session CSRF token, and include that in your form as a hidden field. Then check that its valid in your form action. With file based or db based, you can implement CSRF token checks in your actions and store the token server side. Either way, assuming you behave responsibly, there is no reason Remix is more vulnerable to CSRF because of regular form actions. As I mentioned earlier though, the docs should be updated to discuss this, and I'm sure they will be once we've hit 1.0 |
I'm shocked that this web framework uses HTML Forms, but does not protect against CSRF attacks by default. To make matters worse, the documentation does not even mention this. Where it does mention it, it is completely wrong
To reiterate for those in the back, using a I'm a long time user of frameworks like Symfony who provide CSRF protection out of the box and on by default. You have to explicitly disable the protection on a per-form basis. This is similar to React's built-in XSS protection and their extremely verbose method of bypassing it. The above comment is also incorrect because it assumes that I'm running a site on the internet rather than perhaps an intranet. Let's say I build a form for Example, Inc.'s internal intranet and it's hosted at Well one day I get an email to my personal email that all of our employees have been deleted from our database! How is that possible? Well... come to find out, one of our employees went to a competitor's website to do some price comparisons, they had a little snippet on their site that looks like this:
while they weren't able to read the response with JavaScript, the browser happily executed the request since it met the qualifications for a simple request. There are really only a few ways to protect against this:
If 2 is implemented, it needs to be well documented that the cookie should be excluded from caching decisions. You wouldn't want someone to always bypass the HTTP cache just because they happened to land on a page with a form. I can't recommend that anyone use this framework until this is fixed. Yes, engineers do (on occasion) need a way to opt-out of these protections, but by default they should be there. I'm really hoping this is resolved quickly because Remix does seem really great and I'm excited to make something with it! |
Perhaps Remix is relying on the SameSite feature of cookies, now implemented in all modern browsers, for CSRF protection. That would be in keeping with the theme of being built on modern web fundamentals. |
If that's the case, then it should be made explicit in the documentation, but in my example above, the |
Maybe it could help someone :) https://sergiodxa.com/articles/adding-csrf-protection-to-remix Package here : https://github.com/sergiodxa/remix-utils |
If using OAuth to start an authenticated session, one often has to use |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Since Remix encourages the use of classic HTML form posts, I wonder if it has any sort of protection against cross-site request forgery. If so, I couldn't find anything about that in the docs.
The text was updated successfully, but these errors were encountered: