
Show HN: CSRF Protection Using Cloudflare Workers - red0point
https://gist.github.com/simonerni/3501b8de6320ac37398d08d9d2d08561
======
kentonv
Nice! Great thing to build as a Worker, since it can be layered on top of
basically any web service without having to change the server code.

Have you had any trouble with some browsers not sending either Origin or
Referer, even for legitimate same-origin requests? I seem to remember trying
this approach myself several years ago and finding that some users' browsers
seemed not to send either header, but I never got a chance to dig into it, and
I might be mis-remembering...

~~~
red0point
I've seen that (current) browsers won't send Origin / Referer Header for GET
and HEAD requests, so I'm whitelisting these request types.

Other than that, it seems that IE is not sending the Origin Header for POST
requests, so I simply use the Referer Header in this scenario.

Assume an attacker site sets the Referrer Policy header to no-referrer, IE
sends no Referer / Origin at all for POST requests, so I block those requests.

The real origin must thus not have a Referrer Policy of "no-referrer".

Other than that, I'm observing the impact of the rule in production but
haven't encountered any problems thus far.

