Does SolidStart have CSRF protection by default?
questionmark
Didnt find it in docs, so I'm just asking to be sure
17 Replies
You'd usually add a hidden field to your forms and validate that against your session.
Solid Start does not influence your forms.
Though this might be a worthy addition to our new start primitive.
Or maybe a form library like #modular-forms might be interested in supporting such a functionality? @fabianhiller, do you think this might be up your alley or should I think about a primitive?
Can't this be prevented with the SameSite cookie attribute?
That would work, too, but it requires a cookie banner in the EU; unlike tokens, so I feel such a mechanism might still be of value.
I don't think it always needs a cookie banner. As far as I know, cookies without which the website does not work (e.g. auth cookies) can be set.
If the cookie is not persisted beyond the session, that might be a gray area.
even for functional cookies u need a banner, but only to inform that they exist. you don't need to ask for consent
ChatGPT says for essential cookies only, no banner is needed:
In the European Union, the General Data Protection Regulation (GDPR) and the ePrivacy Directive, often referred to as the "Cookie Law", regulate the use of cookies. Under these regulations, websites must obtain informed consent from users before storing non-essential cookies. Essential cookies are those necessary for the technical operation of the site, such as session cookies used to track a user's login status. Non-essential cookies include those used for analytics, advertising, or user tracking. In practice, this means that if your website is accessible to users in the EU and uses non-essential cookies, you must display a cookie consent banner or some other mechanism for obtaining informed consent. This banner should inform users about what cookies are being used, what they're used for, and give them a clear option to opt in or out of these cookies.
banner is maybe not the correct thing. but u need a disclaimer somewhere (eg in the footer) where u notify about the use of cookies
u dont need to ask for consent, but u still need to inform
so you mean the text above was talking about something else? if so, what is the name of the policy you are referring to?
You probably mean § 6 b, d or f GDPR, but the neccessity doesn't apply since you can use a token instead of a cookie, so the lawful persistence of data is down to § 6 a GDPR, which requires explicit consent.
so what about essential-cookies only? (ie to maintain a session)
what policy or law says that I need to inform the user of the use of essential cookies to maintain session?
according to belst I need to inform, but I do not think so?
Art. 12 GDPR requires full transparency of all data processing (which includes matching a session cookie to a user account, thereby identifying the user).
Hey, I hope it's fine if I still write here after 2 months :)
Do you have an example on how to create a value for this hidden field on how to check it on the solid server side?
I use the solid server side like a proxy to enable ssr and have my separate backend. so it's stateless besides the cookies which are sent with the request.
sure thing. You just want a safe random value (crypto-grade random).
Ah which is unique to every user and generated on the backend? And saved for example in the local storage?
No, unique for the single form interaction. server renders form with hidden input with key -> client submits -> server validates key for that form (only valid once to secure against replay attacks).