Skip to content

POST based CSRF

Description

The canonical content-type for GraphQL queries is JSON (application/json). Other content-types should be rejected as they facilitate CSRF attacks (e.g., via form submission).

Note that CSRF is an attack vector that specifically target requests where the browser automatically provides authentication (typically through Cookie or Basic Authentication).

Especially, if your application is attaching the credentials via an Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible.

Remediation

Only allow requests with the Content-Type header set to application/json.

GraphQL Specific

Apollo To mitigate POST-based CSRF attacks in the Apollo framework, implement anti-CSRF tokens in your application. Generate a unique token for each user session and include it as a hidden field in your forms. Verify the token on the server side before processing any POST requests. Additionally, consider using the 'sameSite' attribute for cookies to restrict cross-origin requests.
Yoga To mitigate POST-based CSRF attacks in the Yoga framework engine, implement anti-CSRF tokens in your forms. Generate a unique token for each user session and include it as a hidden field in your POST forms. Verify the token on the server side before processing any POST request. Additionally, ensure that the 'SameSite' attribute for cookies is set to 'Lax' or 'Strict' to prevent cross-site request forgery. It's also recommended to use the Yoga framework's built-in security features or middleware that provide CSRF protection.
Awsappsync To mitigate POST-based CSRF vulnerabilities in AWS AppSync, ensure that all sensitive mutations require authentication and are protected with tokens such as CSRF tokens or API keys. Implement a robust authentication mechanism, such as AWS Cognito, and use it to validate user sessions for each request. Additionally, consider using AWS WAF to create custom rules that validate the presence of custom headers or tokens that are unique to your application and difficult to forge. Regularly review and update your security policies to keep up with the latest threats.
Graphqlgo To mitigate POST-based CSRF attacks in a GraphQL Go framework engine, implement anti-CSRF tokens by generating a unique token for each user session and requiring that token to be included as a header or in the payload of every state-changing POST request. Validate the token on the server side before processing the request. Additionally, ensure that CORS policies are correctly set to restrict cross-origin requests from untrusted domains.
Graphqlruby To mitigate POST-based CSRF attacks in a GraphQL Ruby framework, ensure that you implement CSRF tokens within your application. Use the built-in Rails CSRF protection by including `protect_from_forgery with: :exception` in your controllers. Additionally, verify that every state-changing request includes a valid CSRF token. For GraphQL, you can pass the CSRF token within the HTTP headers or the body of the POST request and validate it on the server-side. Also, consider using same-site cookie attributes and CORS policies to restrict cross-origin requests.
Hasura To mitigate POST-based CSRF attacks in the Hasura framework, ensure that all state-changing operations require a valid CSRF token. Implement a strong CSRF protection mechanism by utilizing Hasura's webhook or JWT-based authentication methods, which inherently provide CSRF protection by requiring a valid authentication token for each request. Additionally, consider using the 'SameSite' attribute for cookies to restrict their sending to same-site requests only. Regularly review and update your security configurations to keep up with best practices.
Agoo Ensure that the Agoo framework only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Ariadne Ensure that your Ariadne GraphQL server only accepts requests with the 'application/json' content-type to prevent CSRF attacks. This can be achieved by validating the 'Content-Type' header of incoming requests and rejecting any that do not match 'application/json'.
Caliban Ensure that the Caliban framework only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Dgraph Ensure that all GraphQL endpoints in the Dgraph framework only accept requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Dianajl Ensure that the DianaJL framework engine only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Directus Ensure that all GraphQL endpoints in the Directus framework only accept requests with the 'application/json' content-type to prevent CSRF attacks. Additionally, verify that authentication credentials are not automatically included in requests by the browser, such as through cookies, to further mitigate CSRF risks.
Flutter Ensure that all HTTP requests in your Flutter application use secure methods to prevent CSRF attacks. Implement token-based authentication mechanisms, such as OAuth, where the browser cannot automatically include credentials. Additionally, validate the content-type of incoming requests to ensure they match the expected format, such as 'application/json', to mitigate CSRF risks.
Graphene Ensure that your Graphene-based GraphQL API only accepts requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Graphqlapiforwp Ensure that the GraphQL API for the WordPress framework only accepts requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Graphqlgophergo Ensure that GraphQL endpoints in the GopherGo framework only accept requests with the 'application/json' content-type to prevent CSRF attacks. Additionally, verify that authentication credentials are not automatically included by the browser, such as through cookies, to further mitigate CSRF risks.
Graphqljava Ensure that the GraphQL server only accepts requests with the 'Content-Type' header set to 'application/json' to prevent CSRF attacks. Additionally, verify that authentication credentials are not automatically included in requests, such as through cookies, to further mitigate CSRF risks.
Graphqlphp Ensure that your GraphQL endpoint in the graphqlphp framework only accepts requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Graphqlyoga Ensure that the GraphQL Yoga server only accepts requests with the 'application/json' content-type to prevent CSRF attacks, as browsers cannot automatically send credentials in the 'Authorization' header.
Hypergraphql Ensure that the HyperGraphQL framework only accepts requests with the 'application/json' content-type to prevent CSRF attacks by rejecting other content-types.
Jaal Ensure that the Jaal framework engine only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Juniper Ensure that the Juniper framework engine only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Lacinia Ensure that the Lacinia framework only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Lighthouse Ensure that the GraphQL endpoint only accepts requests with the 'application/json' content-type to prevent CSRF attacks. Reject any other content-types to enhance security, especially when using cookie-based authentication.
Mercurius Ensure that the Mercurius framework only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Morpheusgraphql Ensure that the MorpheusGraphQL framework engine only accepts requests with the 'application/json' content-type for GraphQL queries to prevent CSRF attacks. Reject any other content-types to enhance security.
Qglgen Ensure that the gqlgen framework only accepts requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Sangria Ensure that your Sangria GraphQL server only accepts requests with the 'application/json' content-type to prevent CSRF attacks. Additionally, verify that authentication credentials are not automatically included by the browser, such as through cookies, to further mitigate CSRF risks.
Shopify Ensure that all GraphQL endpoints in the Shopify framework only accept requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Stepzen Ensure that the StepZen framework only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Strawberry Ensure that the Strawberry framework only accepts GraphQL requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.
Tartiflette Ensure that the Tartiflette framework engine only accepts requests with the 'application/json' content-type for GraphQL queries to prevent CSRF attacks.
Wpgraphql Ensure that the wpgraphql framework only accepts requests with the 'application/json' content-type to prevent CSRF attacks. Reject any requests with other content-types to enhance security.

Configuration

Identifier: request_forgery/csrf_post_based

Examples

Ignore this check

checks:
  request_forgery/csrf_post_based:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API2:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.9
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-6

Classification

  • CWE: 352

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
  • CVSS_SCORE: 4.6

References