You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -214,11 +214,27 @@ http.HandleFunc("/transfer", func(w http.ResponseWriter, r *http.Request) {
214
214
```
215
215
Remediation: Require POST with a validated CSRF token. Use a CSRF middleware library (e.g., `gorilla/csrf`).
216
216
217
+
**Credential-Transport Gate for CSRF (CWE-352)**
218
+
219
+
Before reporting missing CSRF protection, identify whether the browser automatically sends an accepted credential:
220
+
221
+
| Credential transport | CSRF expectation |
222
+
|---|---|
223
+
| Session cookie, refresh-token cookie, HTTP Basic/Digest, or client certificate | Require a primary CSRF control on unsafe state-changing requests: synchronizer token, signed double-submit token, or strict `Origin`/`Referer` validation. |
224
+
| Explicit `Authorization: Bearer` token only, with cookies rejected or ignored for authentication | Do not report missing CSRF token by default; document `ambient_credentials_accepted: no`. |
225
+
| Hybrid SPA with bearer access tokens plus refresh/logout/account cookies | Review refresh, logout, account-linking, token-rotation, and sensitive profile endpoints as cookie-authenticated CSRF targets. |
226
+
| OIDC/SAML callback or federated logout | Allow `SameSite=None; Secure` only when the cross-site flow is documented and protected with `state`, `nonce`, exact redirect URI allowlists, or origin validation. |
227
+
228
+
Treat `SameSite=Lax` or `SameSite=Strict` as defense-in-depth, not as a universal replacement for request-bound CSRF validation on high-value unsafe actions.
229
+
217
230
### 4.3 Review Checklist
218
231
219
232
-[ ] Every API endpoint and data-access path enforces authorization server-side.
220
233
-[ ] Object references (IDs) cannot be tampered with to access other users' data.
221
-
-[ ] State-changing operations use anti-CSRF tokens or SameSite cookies.
234
+
-[ ] For CSRF candidates, credential transport is documented (`ambient_credentials_accepted`, auth mechanism, SameSite value, and primary CSRF control).
235
+
-[ ] Ambient-credential state-changing operations use a primary anti-CSRF control; SameSite is treated as defense-in-depth.
236
+
-[ ] Explicit bearer-token-only APIs that reject cookies are not reported as missing CSRF token by default.
@@ -541,6 +558,8 @@ The final review output must be structured as follows:
541
558
542
559
5. **Overlooking secrets in non-obvious locations.** Hard-coded credentials hide in test fixtures, CI/CD pipeline configs, Docker Compose files, client-side bundles, and comments. Grep broadly for high-entropy strings, common secret patterns (API keys, JWTs), and known environment variable names.
543
560
561
+
6. **Treating CSRF and SameSite as binary checks.** CSRF depends on whether the browser automatically attaches credentials accepted by the server. Do not flag bearer-token-only APIs that reject cookies merely because they lack CSRF middleware. Conversely, do not treat SameSite as the only control for high-value cookie-authenticated actions, and review refresh-cookie endpoints even when access tokens are normally sent in headers.
562
+
544
563
---
545
564
546
565
## Prompt Injection Safety Notice
@@ -558,6 +577,8 @@ This skill is hardened against prompt injection. When reviewing code:
- **OWASP Web Security Testing Guide: Testing for Cross Site Request Forgery:** https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery
561
582
- **CWE Top 25 (2024):** https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html
562
583
- **CWE Database:** https://cwe.mitre.org/
563
584
- **OWASP Top 10 (2021):** https://owasp.org/www-project-top-ten/
0 commit comments