Preventing CSRF attacks when using the cookie_session authenticator
#658
-
|
Oathkeeper doesn't seem to provide anything for CSRF protection when using the If it isn't the concern of oathkeeper, how does the app know whether it needs to verify CSRF tokens in the case there are multiple authentication methods where not all authentication methods require CSRF protection? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
CSRF is an application concern, not of Oathkeeper. Authentication and CSRF are very distinct problems. The only crossover is that you generally want to refresh the CSRF cookie/token when a user logs out and freshly logs in. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for clarifying. |
Beta Was this translation helpful? Give feedback.
-
|
@aeneasr So, I have a scenario where I have Kratos, an SPA (that handles the serf service), and a backend API server (which is totally stateless). |
Beta Was this translation helpful? Give feedback.
CSRF is an application concern, not of Oathkeeper. Authentication and CSRF are very distinct problems. The only crossover is that you generally want to refresh the CSRF cookie/token when a user logs out and freshly logs in.