API Academy

Sponsored by Layer7

A man in black shirt holding a radio device.

How to Beat Cross-Site Request Forgery Attacks

By Greg ThompsonPosted on

Cross-Site Request Forgery (CSRF) is a type of security threat in which malicious actors can steal user data and authentication information by gaining access to HTTP Cookies. Cookies are small nuggets of information which are sent in responses from web servers to the browser. The browser stores this information and will include these cookies in future requests to the web server. These cookies typically are tied to a specific domain, have an expiration, and other characteristics based on cookie “attributes.†In some cases, malicious scripts and content by be embedded in the web page rendered in the web browser. Because this content appears to be part of page the web browser renders, links to this content can result in cookies intended for the initial web server to be delivered to the malicious sites.
RFC 6265 introduced a new cookie attribute called “SameSite†to address this issue of CSRF.

This new attribute will change how cookies are handled once web browsers begin to support and enforce “SameSite.†The SameSite cookie attribute is intended to provide a more secure browser experience by reducing the exposure to CSRF by allowing the web server to more explicitly declare when the cookie should be sent. The SameSite attribute can have the following values:

  • None – the cookie will be sent for all requests 
  • Lax – the cookie will be sent for top-level navigations only
  • Strict – the cookie will not be sent along with top-level navigations which are triggered from a cross-site document context

Google is expected to be the first to begin enforcing the SameSite attribute with the upcoming release of Chrome 80 later this month. Chrome will by default use “Lax†if the SameSite attribute is not explicitly set. Other popular browsers such as Microsoft Edge and Mozilla Firefox are expected to begin enforcing the SameSite attribute soon.

How does this apply to API Gateways?

You will need to check with your API Gateway provider to ensure support for SameSite. Broadcom has released an update for Layer7 API Gateway that directly provides support for the SameSite cookie attribute. This update ensures the gateway will properly support use cases where the gateway is used to protect web browser-based traffic (as is done by a number of our customers). With this change, Layer API Gateway will be able to directly set and modify the SameSite attribute of cookies. 

Many existing web applications have not yet been updated to properly set the SameSite attribute in cookies. Once Chrome and other browsers such as Microsoft Edge and Mozilla FireFox adopt this change, there is a potential that user login sessions and single sign-on solutions will no longer work as expected. Layer7 API Gateway can be used to mitigate this risk. The Gateway can inject the proper values for the SameSite cookie attribute to act as a bridge to ensure existing web applications that have not yet been updated to support the SameSite attribute. This will allow Layer7 API Gateway to ensure compatibility and keep critical systems up and running.

For more details on the SameSite Attribute, you may find the RFC here: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1

For more details on Layer7 API Gateway update including these changes, please refer to the latest release notes here: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/release-notes-9-4/resolved-issues.html#concept.dita_bd083e022acc2d23c48d7b72fdad6bdad15da412_IssuesResolvedinVersion94CR4