Fork me on GitHub
Endre Bakken Stovner22:02:12

Web noob here: is there any point at all with a CSRF-token for a same machine app? (Using clj for computation, cljs for visualization in browser). I am 99.999% sure there is not


I'll add an extra 9 to your confidence value

😂 4
👍 4

What does the same machine app mean? Do you have any post handlers in your app?

Endre Bakken Stovner19:02:42

Yes, there are post handlers which the user uses to send data to the running application 🙂 Same-machine app: meant to be used on the same machine, not serve web pages to clients (dunno if this is the terminology)


Who’s gonna consume the cljs app then? Is it only going to run locally and never ever served over a network? In that case I’d say you’re pretty safe :)


CSRF covers the confused deputy attack, which relies on an attacker tricking a user into making a request on their behalf.


It’s a problem if an attacker knows about your system and where it is, and can get you to visit a website under their control.