Cross Site Request Forgery in Buffalo with Jwt Tokens
Cross Site Request Forgery in Buffalo with Jwt Tokens — how this specific combination creates or exposes the vulnerability
Cross Site Request Forgery (CSRF) is an attack that tricks a user into performing unwanted actions on a web application where they are authenticated. When using Buffalo with JWT tokens, the typical session-based CSRF protections (e.g., same-site cookies and CSRF tokens) are often absent or misapplied because JWTs are commonly stored in cookies or local storage and sent via headers rather than relying on session state that frameworks like Buffalo automatically protect.
In Buffalo, if you store a JWT in a cookie and rely on cookies being sent automatically by the browser for authenticated requests, an attacker can craft a form or script on a malicious site that performs state-changing HTTP methods (POST, PUT, DELETE) to your Buffalo API endpoints. If the endpoint only checks for the presence of a valid JWT in the Authorization header or cookie and does not validate the request origin, the request will be processed as if it were made intentionally by the victim user.
JWTs themselves do not prevent CSRF; they provide authentication (something you have) but not inherent protection against unauthorized commands from a user’s browser. If your Buffalo application exposes unauthenticated endpoints that accept sensitive actions and the JWT is automatically included by the browser (e.g., stored in a cookie accessible to JavaScript or sent via automatic cookie inclusion), the attack surface is present. Common patterns that increase risk include:
- Using cookie-based JWT storage without SameSite=Strict or Lax attributes.
- Relying solely on custom Authorization: Bearer headers in APIs that also accept cookie-based sessions in the same application.
- Not validating the Origin or Referer headers for state-changing requests, especially in unauthenticated attack surface tests where CSRF protections may be absent.
Because middleBrick scans the unauthenticated attack surface and checks Authentication and BOLA/IDOR among 12 parallel security checks, it can surface missing CSRF protections for endpoints that accept JWTs via cookies. The scanner does not assume framework-specific default protections; if your Buffalo app does not implement explicit CSRF defenses for cookie-stored JWTs, findings will be reported with severity and remediation guidance.
Jwt Tokens-Specific Remediation in Buffalo — concrete code fixes
To mitigate CSRF when using JWTs in Buffalo, apply defense-in-depth: restrict how cookies are sent, validate request origins, and avoid mixing authentication mechanisms for the same endpoint. Below are concrete, syntactically correct examples for a Buffalo application.
Set JWT cookies with SameSite and Secure attributes
Ensure cookies containing JWTs are not sent on cross-site requests by using SameSite=Strict or Lax, and always use Secure in production.
import "github.com/gobuffalo/buffalo"
import "github.com/gobuffalo/buffalo/middleware"
func App() *buffalo.App {
app := buffalo.New(buffalo.Options{
SessionStore: &middlebrickSession{},
})
app.GET("/login", func(c buffalo.Context) error {
token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiMSJ9.example"
c.Response().Cookies()["jwt"] = &http.Cookie{
Name: "jwt",
Value: token,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteStrictMode,
Path: "/",
}
return c.Render(200, r.JSON(map[string]string{"status": "ok"}))
})
return app
}
Require custom header for state-changing requests and validate Origin
For endpoints that perform sensitive actions, require an Authorization: Bearer header and optionally validate the Origin header when the request is not simple (e.g., POST, DELETE).
func protectCSRF(next buffalo.Handler) buffalo.Handler {
return func(c buffalo.Context) error {
// Allow safe methods without extra checks
if c.Request().Method == "GET" || c.Request().Method == "HEAD" || c.Request().Method == "OPTIONS" {
return next(c)
}
auth := c.Request().Header.Get("Authorization")
if auth == "" {
c.Response().WriteHeader(401)
return c.Error(401, errors.New("missing authorization header"))
}
origin := c.Request().Header.Get("Origin")
if origin == "" {
c.Response().WriteHeader(400)
return c.Error(400, errors.New("missing origin header"))
}
// Optionally validate origin against an allowlist
allowed := map[string]bool{"https://your-frontend.example.com": true}
if !allowed[origin] {
c.Response().WriteHeader(403)
return c.Error(403, errors.New("origin not allowed"))
}
return next(c)
}
}
// Usage in a Buffalo route
app.POST("/api/transfer", protectCSRF, func(c buffalo.Context) error {
// handle transfer logic
return c.Render(200, r.JSON(map[string]string{"result": "ok"}))
})
Use anti-CSRF tokens for cookie-based sessions alongside JWTs
If you maintain compatibility with cookie-based sessions, include a separate anti-CSRF token in forms and validate it server-side. For SPAs using JWTs in Authorization headers, ensure endpoints do not rely solely on cookies.
func generateCSRFToken() string {
return fmt.Sprintf("%x", sha256.Sum256([]byte(uuid.New().String())))
}
app.GET("/form", func(c buffalo.Context) error {
token := generateCSRFToken()
c.Session().Set("csrf_token", token)
return c.Render(200, r.HTML(""))
})
app.POST("/submit", func(c buffalo.Context) error {
sessionToken := c.Session().Get("csrf_token")
formToken := c.Params().Get("_csrf")
if sessionToken != formToken {
c.Response().WriteHeader(403)
return c.Error(403, errors.New("invalid csrf token"))
}
return c.Render(200, r.JSON(map[string]string{"status": "ok"}))
})