XSRF / CSRF within Serverless applications

Currently working on an internal application, basically a static web site (HTML and Angular on AWS S3 with API Gateway and Lambda in the backend) and using Cognito’s JWT’s initially, though this site will be internal only they will still need to meet strict XSS and XSRF rules.

Been trying to work out how the XSRF would be handled as there will be no state server to track the values needed to be issued with the pages and cookies? plus the static pages would not be able to have a unique token created without making an API call in the first place.

Sorry, been a while since I’ve been this close to the development side and the current developers are on a steep learning curve. any advice would be greatly appreciated.

Hi @AndyC,
Well, it depends on the level of security you want to accomplish.

The most simple thing you can do is to inject a custom header: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
Using a custom header, however, is if at all only “secure” if your app is not vulnerable to XSS.

The next best thing you can do is to go with a “Double Submit Cookie”: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
stormpath has a nice article about it, too: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage.

And, if this is an option, don’t store the JWT in a cookie at all, then XSRF is not an issue.

Hope this helps.

1 Like

Thanks for your kind response mate, must admit had trawled though most of that a few times and certainly was leaning to double sumbit, but also they won’t be storing the JWT in a cookie any way, just a lot of mixed info out there about how secure that was if your protected against XSS, that it may still be insecure without CSRF. Knowing my clients they will want both, so will see what their PEN tests turn up I guess.

Better than the developers issuing CSRF page values and cookies from API calls which didn’t feel right at all. Thanks again, at least this has been good to brush up on my client side security again, been too long lol