There are two points to consider, one of them has solution:
The first case is a site that executes on the client side such a request, for example:
malicioso.com:
<img src="http://seusite.com/deletar_conta.php">
When you access the page you will call your page. This could be done with AJAX or any other method, provided it runs on the client side, in the browser of the user accessing the malicioso.com
.
Solutions:
Easy and applicable in general use, with low impact for the user:
Add the header of X-Frame-Options
for DENY
This will prevent another site from making a iframe
of your website.
Add CSRF-Token (using a CSPRNG) to all forms.
The malicious site will not have access to CSRF-Token unless there is another vulnerability, such as XSS.
Add to flag of SameSite
for strict
session cookie (not natively supported by PHP, but can do this manually):
The request made for your website will not have cookies, but this is still an experimental feature and not supported in all browsers.
Moderate, low impact for user:
Difficult and high impact for the user:
The second case is to prevent you from sending requests outside my site, prevent them from being able to automate actions, or using software such as Curl to make requests on my site, for example:
curl -X "POST" -d "CSRF=12345678&CONTA=12345678" -H "Cookie: sessao=ui1j3dasqwe123;" -H "Referer: seusite.com" https://seusite.com/deletar_conta.php
I want to make sure that the user moved the mouse to the button and clicked there, inside my site.
Solutions:
"Pseudo-Soluções":
This will not fix the issue, requests can still be made outside your site!
Não recicle sessões
; This means that I must create a new session for each user request even if they haven’t closed the tab/logged in?– guilherme.oc97
@Guilherme.oc97 Yes. You can use websocket for this, if the connection is automatically cut the session is closed. Or, you can use the
sessionStorage
browser, which is "zeroed" every time it opens in a new tab or refreshes the page, for example, which only exists on that page. This is very different from cookies, which have the same value "forever".– Inkeliz