Preventing cross-site request forgery attacks on a server
US8495135B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Sep 23, 2010 |
| Grant date | Jul 23, 2013 |
| Priority date | — |
| Expiry date | Apr 23, 2031 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/08
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Preventing Cross-Site Request Forgery (CSRF) security attacks on a server in a client-server environment comprises: embedding a nonce and a script in all responses from the server to the client, the script adapted for executing to add the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value is not the same as the value previously sent by the server. Server-side aspects might be embodied in the server or a proxy between the server and the client.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.