AccueilGlossaire › CSRF Token (Synchronizer Token Pattern)

CSRF Token (Synchronizer Token Pattern)

Sécurité

Token unique par session/request prévenant attaques CSRF.

CSRF Token (Synchronizer Token Pattern) est la défense CSRF la plus classique : server génère un token random unpredictable, attaché à la session user, inclus dans chaque formulaire ou state-changing request. Server vérifie présence et validité avant traiter. Attaquant CSRF ne peut pas deviner ou récupérer le token.

Workflow :
(1) User authentifié arrive sur page form (e.g. transfer funds).
(2) Server génère token random (256+ bits crypto), associate avec session, embed dans HTML form : `<input type="hidden" name="csrf_token" value="a8d9f7e...">`.
(3) User submit form, token envoyé.
(4) Server compare token vs session-stored token. Match → process. Mismatch → reject (403 Forbidden).
(5) Token typically single-use (regenerated after use) ou per-session (rotate on login).

Génération :
(1) **Crypto-secure random** (Python `secrets.token_urlsafe(32)`, JS `crypto.randomBytes(32).toString('hex')`).
(2) **Bound to user session** — token only valid for the user.
(3) **Time-limited optional** — expire après N minutes inactivity.
(4) **Per-request** (more secure) ou per-session (more usable).

Where include token :
(1) **Hidden form fields** — classic.
(2) **Custom HTTP header** — `X-CSRF-Token: ...` for AJAX requests.
(3) **Meta tag** — `<meta name="csrf-token" content="...">` for SPA to read et include header.
(4) **JS variable** — embedded dans page, read by frontend code.

Framework auto-protection :
- **Django** : `{% csrf_token %}` template tag, middleware verify.
- **Rails** : `protect_from_forgery`, `csrf_meta_tags` helper.
- **Spring Security** : enabled by default, `_csrf` field auto-inserted.
- **Laravel** : `@csrf` Blade directive, middleware.
- **ASP.NET MVC** : `@Html.AntiForgeryToken()`, `[ValidateAntiForgeryToken]`.
- **Express.js** : csurf middleware.

Vs Double-Submit pattern :
- **Synchronizer (server-stored)** — more secure (no cookie manipulation possible), but stateful (session storage required).
- **Double-Submit (stateless)** — simpler scaling, but cookie attack vectors possible.

Best practices :
(1) Enable framework CSRF protection — don't disable.
(2) GET requests should be safe (no state change) — CSRF tokens not needed for GET.
(3) Combine with SameSite=Lax cookies (defense in depth).
(4) Regenerate token on login (prevent session fixation attacks).
(5) Custom requests headers (`X-Requested-With: XMLHttpRequest`) historical mitigation no longer reliable (CORS configs may allow).

Real-world : OWASP A01 Broken Access Control includes CSRF, classic bug bounty finding pour apps without protection. Compétences Security+, CISSP, OSCP.

Certifications qui couvrent ce concept
Security+ CISSP OSCP
Termes liés
CSRF (Cross-Site Request Forgery) Double-Submit Cookie Pattern (CSRF defense) SameSite Cookie Attribute Cookie Security (Secure, HttpOnly flags)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire