Skip to content

Commit 7332420

Browse files
committed
Add documentation about breach
1 parent 183269c commit 7332420

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

security/csrf.rst

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,4 +162,15 @@ to check its validity::
162162
}
163163
}
164164

165+
CSRF tokens and compression side-channel attacks
166+
------------------------------------------------
167+
168+
`BREACH`_ and `CRIME`_ are security exploits against HTTPS when using HTTP
169+
compression. Attacker can leverage information leaked by compression to recover
170+
targeted parts of the plaintext. To mitigate these attacks, and prevent an
171+
attacker from guessing the CSRF tokens, a random mask is prepended to the token
172+
and used to scramble it.
173+
165174
.. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery
175+
.. _`BREACH``: https://en.wikipedia.org/wiki/BREACH
176+
.. _`CRIME``: https://en.wikipedia.org/wiki/CRIME

0 commit comments

Comments
 (0)