What is CSRF?
Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks your browser into making requests to Boottify while you're logged in. For example, a hidden form on a malicious page could submit a request to change your email address or delete your account.
How Boottify Protects You
Boottify uses the Double Submit Cookie pattern to prevent CSRF attacks on all state-changing API routes (POST, PUT, PATCH, DELETE). Here's how it works:
- When you load any page, a unique CSRF token is generated and stored in a cookie.
- The same token is included in the page as a hidden form field or request header.
- When you submit a form or make an API call, both the cookie value and the header/form value are sent.
- The server verifies that both values match. A malicious site cannot read the cookie value, so it cannot forge the matching header.
Additional Protections
In addition to CSRF tokens, Boottify employs these security measures:
- SameSite cookies — Session cookies use the
SameSite=Laxattribute, preventing them from being sent with cross-origin requests. - Secure cookies — All cookies are marked
Secure, ensuring they're only sent over HTTPS. - Content-Type validation — API routes validate the Content-Type header to prevent form-based CSRF.
For Developers
If you're integrating with Boottify's API, ensure your requests include the CSRF token in the X-CSRF-Token header. The token value can be read from the csrf-token cookie. All modern HTTP clients and frameworks handle this automatically when configured correctly.