Open in app

Sign up

Sign in

Write

Sign up

Sign in

Mastodon
Stackademic

Stackademic is a learning hub for programmers, devs, coders, and engineers. Our goal is to democratize free coding education for the world.

Follow publication

Member-only story

NestJS - Security - Basics - CSRF

Nikos Oikonomou
Stackademic
Published in
9 min readJan 3, 2025

--

In this section, we introduce CSRF to enhance the security of your NestJS application.

This section is part of a broader guide. You can follow the guide from the beginning or complete the prerequisite steps, Getting Started and Cookies, before diving in. Optionally, you can also go ahead and follow a related section about Helmet and Cors.

Before we start

It’s important to note that security is a critical aspect of every system and must not be overlooked. While we’ll try to tackle the important basics, many things can go wrong in practice, every application is unique, and security measures should be continuously reevaluated and tailored to the specific needs of your implementation. Stay updated with evolving threats and ensure your configurations align with the latest security standards.

We won’t be able to dive into everything, so feel free to request any clarifications at the comments and I will be very happy to assist and possibly refine this section based on your input.

CSRF

Cross-Site Request Forgery (CSRF) is a type of attack that tricks users into performing unintended actions on a website where they are authenticated. By exploiting the trust between the user and the website, an attacker can execute malicious operations like transferring funds, changing account details, or performing other sensitive actions without the user’s consent.

It’s not the purpose of this guide to completely dive into what is CSRF and how to safeguard your application on every use-case. For a more in-depth view, take a look at the official OWASP article about CSRF.

Why is it dangerous?

  • It exploits authenticated sessions, such as cookies or tokens.
  • The user often has no way of knowing that an attack has occurred.

For example, if a user is logged into their bank account, an attacker could craft a malicious link or form that triggers a fund transfer without the user’s explicit approval.

How Does CSRF Work?

A very simple example:

  1. The user logs into https://example.com and receives a session cookie.
  2. The attacker creates a…

--

--

Stackademic
Stackademic
Follow

Published in Stackademic

37K Followers
Last published 23 hours ago

Stackademic is a learning hub for programmers, devs, coders, and engineers. Our goal is to democratize free coding education for the world.

Follow
Nikos Oikonomou
Nikos Oikonomou
Follow

Written by Nikos Oikonomou

28 Followers
20 Following

VP of Engineering @ Kariera Group - https://www.linkedin.com/in/nikos-oikonomou/

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech