* 04-AntiForgeryToken would not provide any actual protection against CSRF (there are a few ways to do it, but all at minimum require 1) the token to be generated by the server and 2) a way for the server to compare against a known good value, either from its session DB or by "double-submitting" the token [0]).
* 18-SecureWebStorage encrypts the value without including an authentication tag, meaning it can likely be fully decrypted or modified by the user (lookup a Vaudenay attack or try out https://cryptopals.com/ if you're curious there)
Those are the ones I have specific experience with and looked at first, so maybe the more frontend-oriented examples are better?
ethanlew-is|1 year ago
* 04-AntiForgeryToken would not provide any actual protection against CSRF (there are a few ways to do it, but all at minimum require 1) the token to be generated by the server and 2) a way for the server to compare against a known good value, either from its session DB or by "double-submitting" the token [0]).
* 18-SecureWebStorage encrypts the value without including an authentication tag, meaning it can likely be fully decrypted or modified by the user (lookup a Vaudenay attack or try out https://cryptopals.com/ if you're curious there)
Those are the ones I have specific experience with and looked at first, so maybe the more frontend-oriented examples are better?
[0] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...