Ask HN: Do you use CSRF protection in your forms?

1 point

10 years ago

With the popularity of Slack I have noticed that many IT related communities provide a 3rd-party website to receive an invitation to join their channel. However, the majority lack a CSRF protection allowing a malicious user to send spam to random email addresses on behalf of the admin of the channel. This has led communities like Gophers [1] to include a captcha [2] to prevent automated requests, and also modified their Slackin [3] installation to consider duplicated emails — even with the plus sign modifier [4]. I also experienced websites with CSRF tokens via HTTP headers that actually work, or not really because once you remove the header the request stops being blocked.

Why is this? Are developers depending too much on package managers to install 3rd-party library to add things like this without checking if they actually work? Do companies prefer to take the risk of getting bombarded with spam instead of adding an inconvenient steps to their legitimate users with a captcha? Are people taking web security for granted with mainstream frameworks?

[1] https://invite.slack.golangbridge.org/

[2] And ironically opened another bug (which is already fixed) where you could send an underscore as the value for the captcha and take down the Heroku instance with the second request, something that I never understood until they (somehow) fixed it.

[3] https://github.com/rauchg/slackin

[4] echo '[email protected]' | sed 's/\+.*@/@/'