CSRF menene kuma yaya za ka iya tsare shi?

Question

Accepted Answer

**CSRF (Cross-Site Request Forgery)** yana bugi mai shiga ya ke cikin gida baki na na bugi wajen buka jerin bugi da ba a so su ba a waje inda aka tabbatar da shi — aiwatar da ayyuka (watsa dala, sauye) ba tare da karfinsa ba, sona kariya ta waye ta na eshirin.na. ## Yaya CSRF ke aiki ```text The attack exploits that browsers AUTO-SEND cookies (incl. session cookies) with requests: 1. a user is LOGGED IN to a site (has a session cookie) 2. the user visits a MALICIOUS page (or clicks a crafted link) 3. that page makes a request to the target site (e.g. a hidden form auto-submitting) 4. the browser AUTOMATICALLY includes the user's session cookie → the site thinks it's a legitimate request from the user → performs the action (transfer money, change email) → the user unknowingly performs an action they didn't intend. ``` ```html ``` ## Tsare ```text ✓ CSRF TOKENS → a unique, unpredictable token per session/form that the server verifies; the attacker's site can't know it → the forged request fails (the primary defense) ✓ SameSite COOKIES → SameSite=Lax/Strict → cookies NOT sent on cross-site requests → blocks CSRF (now a strong, default-ish browser defense) ✓ Check Origin/Referer headers; require re-authentication for sensitive actions ✓ Don't use GET for state-changing actions (use POST/PUT/DELETE properly) → Frameworks often provide CSRF protection built in — enable/use it. ``` ## Me yasa ya fi muhimmanci Ji da CSRF da yaya za ka iya tsare shi yana da mahimmanci saboda yana da kyau kaimi **waje calaba** da ke sona yaya bakin rana ke aiki, wanda mai cin zarafi zai iya aiwatar da ayyuka a matsayin mai tabbatarwa, don haka yana da mahimmanci ilimin tsaro ga masu buga websites. Ji da **yaya CSRF ke aiki** — sona cewa bakin rana **na watse kai-kai cookies** (gama kunshin jerin saita) tare da bugi, saboda haka shafi mai cin zarafi zai iya bugi bugi zuwa waje inda mai gida ya shiga, kuma bakin rana ya haɗa shafi jerin saita, wanda ya bugi wajen magani bugi da ba tabbatarwa ba, kuma aiwatar da ayyuka (watsa dala, sauye akauni) ba tare da karfin mai gida ba — yana da mahimmanci don fahimtar wannan bugi mai shirye-shirye amma mai haɗari. CSRF yana haɗari saboda zai iya aiwatar da ayyuka masu ɗauke-ɗauke a matsayin wanda aka tsare ba tare da sani ba, kuma yana da kyau kaimi waje calaba. Ji da **tsare** yana da mahimmanci: **CSRF tokens** (wani takaici, abin baido-baido ta baki kila tsari/nau'i da sarki ya tabbatar — bakin rana na mai cin zarafi ba zai iya sani ba, don haka bugi da ba tabbatarwa ba suka gazawa; tsare gari gida), **SameSite cookies** (saita SameSite=Lax/Strict don cookies ba za su watse akan bugi waje ba, yanzu kariya mai karfi ta bakin rana da ke zama default), bincika Origin/Referer headers, buƙatar sake tabbatarwa ga ayyuka masu ɗauke-ɗauke, kuma ba amfani da GET ba don ayyukan sauye tsari. Ji cewa **frameworks suna ba da tsare CSRF a cikin gida** (wanda ya kamata a kunna kuma a filli) yana da mahimmanci ta aiki. Hadewar CSRF tokens da SameSite cookies yana ba da kariyar ƙari. Kamar CSRF yana da kyau kaimi waje calaba sona bakin rana ta aiki don aiwatar da bugi da ba a so su a matsayin mai tabbatarwa, kuma kamar ji da yaya yana aiki kuma yaya za ka iya tsare shi (CSRF tokens, SameSite cookies, tsare ta framework) yana da mahimmanci ga masu buga websites, jin CSRF kuma tsare shi yana da mahimmanci, ilimin tsaro mai ma'ana ta aiki — calaba mai mahimmanci a yaɗa don fahimta kuma kare shi, inda tsare (CSRF tokens da SameSite cookies) yana da mahimmanci ilimi don kariyar masu amfani daga shamaita su aiwatar da bugi da ba a so su, wani aji bugi ma'ana ga kowane waje aiki tare da tabbatarwa sauye-sauye ayyuka.