Cross-Site Request Forgery (CSRF) in dolittle framework

I’m working on a project with React as Frontend and Dolittle as Backend following cookie-based authentication. The issue with using cookies is that they are sent with every request to the server, this way another malicious site can run a post request to our website to change the state or access sensitive data.

The most widely known solution is to implement antiForgery token which generates a random token for every post request to ensure the request comes from a verified site.

For this type of issue, we are only concerned with commands thus these are POST requests which are vulnerable to CSRF attacks because they change the state of the system.

In order to prevent CSRF attacks, every incoming post request must consist of an antiForgery token, how can this be implemented using the CommandCoordinator class in frontend?

The CommandCoordinator and QueryCoordinator both use POST when executing, so you may need to override the anti-forgery token for both. There is a way to override the headers of the posts by registering a callback that will be executed on every request.

It’s not documented, unfortunately, but this answer explains the usage: Redirect when cookie timeout

I hope that helps!

This should provide the flexibility I need, thanks! :smile:

1 Like