Replies: 1 comment 3 replies
-
|
Echo CSRF is so basic/naive that it should be pretty much considered as a measure for copy/pasting links from untrusted source or a measure against double posting. It does not store token even in session - just cookies - it compares CSRF you posted from form and compares it to token in cookie. I think worrying about BREACH is least of your problem if your browser starts to guess COOKIE through compressed traffic - at this point you might as well read the cookie (is |
Beta Was this translation helpful? Give feedback.
-
|
it makes less sense to (re)implement anything more sophisticated in Echo as it has to been kept up to date. We might just recommend (as more suitable for more security sensitive cases) gorilla with example of wrapping is in Echo middleware handler and deprecate the old one. |
Beta Was this translation helpful? Give feedback.
-
|
but I have to admit https://attack.csrf.patrickod.com/ is interesting and is applicable to Echo CSRF middleware. CSRF and CORS are so connected - if you want CRSF you need CORS middleware also. it would be really nice if Go teams solves the CORS problem and we could just deprecate/delete our middleware. everyone implementing their own wheels is just stupid. |
Beta Was this translation helpful? Give feedback.
-
|
Simple things that we can start off is that
|
Beta Was this translation helpful? Give feedback.
-
I was reading golang/go#73626, and it made me wonder about echo's csrf implementation.
Unless I am reading the code incorrectly, Echo doesn't seem to "mask" the token placed into the context, and if the user is using a
TokenLookupofquery:orform:, it seems like it would be vulnerable to a BREACH attack?gorilla/csrfdoes do masking.I also wonder if any of the other recommendations in that linked Go issue would be a good idea to implement in echo's csrf protections.
Beta Was this translation helpful? Give feedback.
All reactions