MID-074: Cross Site Request Forgery Mitigations

Mitigation Tier: Foundational

Description

The web application should include mechanisms that will ensure that only authentic HTTP requests are processed. These mitigation mechanisms include synchronizer token patterns, double-submit cookie patterns, and forbidding simple requests. Additional techniques can be deployed to bolster the device’s other mitigations, such as such as using SameSite cookies, using standard headers, and requiring user interaction for all privileged actions (instead blindly allowing actions to take place just based on the URL). Ideally a web application framework should be used to implement these mitigations to ensure they are effectively and consistently deployed.

IEC 62443 4-2 Mappings

• CR 3.8 – Session integrity

References

[1] OWASP. “Cross-Site Request Forgery Prevention Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

MID-074