Skip to content
Announcing the Appwrite X MongoDB partnership
Start building
Back

Use of CSRF mitigation techniques in Appwrite SDK-s

  • 0
  • Self Hosted
View on Discord
Mattias Aabmets
16 Apr, 2023, 06:59

I'm curious if Appwrite implements some kind of defense mehanism against Cross-Site Request Forgery attacks? This question is tied to the method or libraries Appwrite uses in client-side SDK-s to communicate with the Appwrite backend server. For Web SDK for instance, if the communication channel is implemented using the builtin fetch() coroutine, then CSRF protection must be configured manually. If a library like Axios is used, then CSRF protection is automatic, because Axios has it builtin. Therefore my question is, does Appwrite use the builtin fetch() coroutine and if it does, then has CSRF protection been implemented by the Appwrite team?

TL;DR
The user is asking if Appwrite implements CSRF protection in its SDKs. The response from Appwrite states that custom headers are required in the request, making it unlikely to be susceptible to CSRF attacks. The user is encouraged to create a proof of concept (POC) if they find any security vulnerabilities and share them with Appwrite. Solution: Appwrite requires custom headers in the request, offering built-in protection against CSRF attacks.
Drake
16 Apr, 2023, 07:17

Appwrite shouldn't be susceptible to CSRF attacks because custom headers are required in the request. Feel free to create a POC if you find any security vulnerabilities and share them with security@appwrite.io

Drake
16 Apr, 2023, 15:20

Oh we also validate the origin/referrer server-side to protect against CSRF

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more