How to block client-side attacks on the server-side

Teo Selenius Senior Security Specialist

Teo Selenius

Senior Security Specialist

August 23, 2021 at 09:22

Teo Selenius works as a cybersecurity expert at Nixu Engineering. He helps IT developers, architects, and other technical personnel in different organizations to build and maintain code that supports application security.

In 2021 Selenius started to keep a blog to keep his findings in order, and to share his discoveries and latest application security trends. Appsecmonkey.com is growing rapidly. The theme is app security and everything you need to know about it.

Did you know that fetch metadata request headers enable you to block client-side attacks on the server-side?

Here is how it works.

  1. An evil website sends an unwanted POST request (say, a CSRF attack) to your website on the browser user's behalf.
  2. The user's browser will include the usual HTTP request headers, session cookies, and stuff. Also, it will include the fetch metadata headers, which contain the information that "Hey! This request originated from some other website". Specifically, it will include the header:

Sec-Fetch-Site: cross-site

  1. On your back-end system, you process the fetch metadata headers and, if you wish, block the request completely if the conditions are unsatisfactory.

To read more, check Teo's article here: https://appsecmonkey.com/blog/fetch-metadata

Related blogs