You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -44,9 +44,11 @@ HTTP responses must include security headers to set rules to how browsers can se
## V50.4 Browser Origin Separation
When accepting a request on the server side, we need to be sure it is initiated by the application itself or by a trusted party.
When accepting a request to sensitive functionality on the server side, we need to be sure it is initiated by the application itself or by a trusted party and has not been forged by an attacker.
The keywords here are browser security policies like Same Origin Policy for JavaScript and also SameSite logic for cookies.
Sensitive functionality in this context could include accepting form posts for authenticated and non-authenticated users (such as an authentication request), state changing operations, resource-demanding functionality (such as data export), etc.
The key protections here are browser security policies like Same Origin Policy for JavaScript and also SameSite logic for cookies. Another common protection is the CORS preflight mechanism. This mechanism will be critical for endpoints designed to be called from a different origin, but it can also be a useful request forgery prevention mechanism for endpoints which are not designed to be called from a different origin.
The category should contain requirements with ideas:
