A METHOD AND SYSTEM FOR PREVENTING CROSS-SITE REQUEST FORGERY ATTACKS ON A SERVER

摘要

A method and system for preventing Cross-Site Request Forgery (CSRF) security attacks on a server in a client-server environment. The method includes embedding a nonce and a script to all responses from the server to the client wherein when executed the script will add the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each said request from the client includes the nonce sent by the server from the server to the client. The script modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and confirms the request with the client if the value is not the same as the value previously sent by the server. Server-side aspects of the invention might be embodied in the server or a proxy between the server and the client.