There are two points to consider, one of which has a solution:
The first case is a website that runs on the client side such a request, for example:
malicioso.com:
<img src="http://seusite.com/deletar_conta.php">
Whenyouaccessthepageitwillcallyourpage.ThiscouldbedonewithAJAXoranyothermethod,aslongasitrunsontheclientside,inthebrowseroftheuserwhoisaccessingthemalicioso.com
.
Solutions:
Faciesandapplicableingeneraluse,withlowimpacttotheuser:
AddheaderfromX-Frame-Options
toDENY
Thiswillpreventanothersitefrommakingaiframe
ofyourwebsite.
AddCSRF-Token(usingaCSPRNG)onallforms.
ThemalicioussitewillnothaveaccesstotheCSRF-Tokenunlessthereisanothervulnerability,suchasXSS.
AddtheflagfromSameSite
tostrict
inthesessioncookie(notsupportednativelybyPHP,butcandothismanually):
Therequestmadeforyoursitewillnothavecookies,butthisisstillanexperimentalfeatureandnotsupportedineverybrowser.
Moderate,withlowimpactfortheuser:
Difficultandhighimpactfortheuser:
Thesecondcaseistopreventyoufromsendingrequestsoutsidemysite,preventingthemfrombeingabletoautomateactionsorusingsoftwaresuchascURLtomakerequestsonmysite,suchas:
curl-X"POST" -d "CSRF=12345678&CONTA=12345678" -H "Cookie: sessao=ui1j3dasqwe123;" -H "Referer: seusite.com" https://seusite.com/deletar_conta.php
I want to make sure that the user has moved the mouse to the button and clicked it inside my site.
Solutions:
"Pseudo-Solutions":
This will not fix the problem, requests can still be made outside your site!