CSRF is addressed by coding techniques that ensure applications do not rely on auth credentials and tokens automatically submitted by browsers. Which approach aligns with this guidance?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI DSS Test with detailed questions and explanations. Use flashcards and quizzes to enhance knowledge. Ensure you're ready for your certification exam!

Multiple Choice

CSRF is addressed by coding techniques that ensure applications do not rely on auth credentials and tokens automatically submitted by browsers. Which approach aligns with this guidance?

Explanation:
The idea is to prevent the browser from automatically supplying credentials in a way that a malicious site could exploit. CSRF happens because the browser will include cookies (and any session-auth data) with requests to your site, even if the user didn’t deliberately intend to perform that action. The safe approach is to design requests so they do not rely on those auto-submitted credentials, and instead require a value that the attacker cannot forge from another site—such as a CSRF token that the client must send in the request (for example in a form field or a custom header) and that the server validates for the user session. This way, a cross-site request cannot succeed without access to that token. Choices that rely on credentials automatically submitted by browsers are vulnerable, and storing tokens in cookies could still be sent automatically if not protected, while re-authentication on every request is impractical and does not address the underlying risk. Therefore, not relying on auth credentials and tokens automatically submitted by browsers aligns with the CSRF protection guidance.

The idea is to prevent the browser from automatically supplying credentials in a way that a malicious site could exploit. CSRF happens because the browser will include cookies (and any session-auth data) with requests to your site, even if the user didn’t deliberately intend to perform that action. The safe approach is to design requests so they do not rely on those auto-submitted credentials, and instead require a value that the attacker cannot forge from another site—such as a CSRF token that the client must send in the request (for example in a form field or a custom header) and that the server validates for the user session. This way, a cross-site request cannot succeed without access to that token.

Choices that rely on credentials automatically submitted by browsers are vulnerable, and storing tokens in cookies could still be sent automatically if not protected, while re-authentication on every request is impractical and does not address the underlying risk. Therefore, not relying on auth credentials and tokens automatically submitted by browsers aligns with the CSRF protection guidance.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy