S
SolidJS2y ago
avant

Does SolidStart have CSRF protection by default?

questionmark Didnt find it in docs, so I'm just asking to be sure
17 Replies
Alex Lohr
Alex Lohr2y ago
You'd usually add a hidden field to your forms and validate that against your session. Solid Start does not influence your forms. Though this might be a worthy addition to our new start primitive. Or maybe a form library like #modular-forms might be interested in supporting such a functionality? @fabianhiller, do you think this might be up your alley or should I think about a primitive?
Fabian Hiller
Fabian Hiller2y ago
Can't this be prevented with the SameSite cookie attribute?
Alex Lohr
Alex Lohr2y ago
That would work, too, but it requires a cookie banner in the EU; unlike tokens, so I feel such a mechanism might still be of value.
Fabian Hiller
Fabian Hiller2y ago
I don't think it always needs a cookie banner. As far as I know, cookies without which the website does not work (e.g. auth cookies) can be set.
Alex Lohr
Alex Lohr2y ago
If the cookie is not persisted beyond the session, that might be a gray area.
belst
belst2y ago
even for functional cookies u need a banner, but only to inform that they exist. you don't need to ask for consent
Mathieu
Mathieu2y ago
ChatGPT says for essential cookies only, no banner is needed:
In the European Union, the General Data Protection Regulation (GDPR) and the ePrivacy Directive, often referred to as the "Cookie Law", regulate the use of cookies. Under these regulations, websites must obtain informed consent from users before storing non-essential cookies. Essential cookies are those necessary for the technical operation of the site, such as session cookies used to track a user's login status. Non-essential cookies include those used for analytics, advertising, or user tracking. In practice, this means that if your website is accessible to users in the EU and uses non-essential cookies, you must display a cookie consent banner or some other mechanism for obtaining informed consent. This banner should inform users about what cookies are being used, what they're used for, and give them a clear option to opt in or out of these cookies.
belst
belst2y ago
banner is maybe not the correct thing. but u need a disclaimer somewhere (eg in the footer) where u notify about the use of cookies u dont need to ask for consent, but u still need to inform
Mathieu
Mathieu2y ago
so you mean the text above was talking about something else? if so, what is the name of the policy you are referring to?
Alex Lohr
Alex Lohr2y ago
You probably mean § 6 b, d or f GDPR, but the neccessity doesn't apply since you can use a token instead of a cookie, so the lawful persistence of data is down to § 6 a GDPR, which requires explicit consent.
Mathieu
Mathieu2y ago
so what about essential-cookies only? (ie to maintain a session) what policy or law says that I need to inform the user of the use of essential cookies to maintain session? according to belst I need to inform, but I do not think so?
Alex Lohr
Alex Lohr2y ago
Art. 12 GDPR requires full transparency of all data processing (which includes matching a session cookie to a user account, thereby identifying the user).
Jasmin
Jasmin2y ago
Hey, I hope it's fine if I still write here after 2 months :) Do you have an example on how to create a value for this hidden field on how to check it on the solid server side? I use the solid server side like a proxy to enable ssr and have my separate backend. so it's stateless besides the cookies which are sent with the request.
Alex Lohr
Alex Lohr2y ago
sure thing. You just want a safe random value (crypto-grade random).
Jasmin
Jasmin2y ago
Ah which is unique to every user and generated on the backend? And saved for example in the local storage?
Alex Lohr
Alex Lohr2y ago
No, unique for the single form interaction. server renders form with hidden input with key -> client submits -> server validates key for that form (only valid once to secure against replay attacks).
Want results from more Discord servers?
Add your server