CSRF occurs when an attacker's webpage contains URL that performs action on website. Suppose the user is logged into a webpage and they visit an attacker's webpage simultaneously, the URL is retrieved by the attacker and actions are performed.
(Hence it is advisable to log out first before opening other websites.)
In Lightning platform, Salesforce has implemented an anti-CSRF token to prevent this attack. It uses tokens for authentication.
Suggestions for best practices:
Add a confirmation page/pop up before action.
Shorten the idle session timeout.
Logout of active session and not use browser to visit other sites while authenticated.
In Salesforce, built-in defence against CSRF is present. If user is logged in on one tab and attempts in another, they will see this error: "The page you submitted was invalid for your session."
However, users can log in by refreshing the login page or attempting to log in a second time.
Comments
Post a Comment