CORS and CSRF(XSRF)

385 views Asked by At

This is probably a very simple question. I just want to make sure I correctly understand it:

If I disable CORS on my web server I am protected against CSRF(XSRF) attacks. Is that correct assumption?

1

There are 1 answers

1
Jake Feasel On

Definitely not. The more likely attack vector for CSRF is for non-XHR requests (regular GET and POST), which aren't subject to CORS anyway. You need to check your URLs for the types of requests they allow, and protect accordingly. CORS actually makes this safer, if you can be sure it is being used.