File tree Expand file tree Collapse file tree 1 file changed +11
-0
lines changed
Expand file tree Collapse file tree 1 file changed +11
-0
lines changed Original file line number Diff line number Diff line change @@ -162,4 +162,15 @@ to check its validity::
162162 }
163163 }
164164
165+ CSRF tokens and compression side-channel attacks
166+ ------------------------------------------------
167+
168+ `BREACH `_ and `CRIME `_ are security exploits against HTTPS when using HTTP
169+ compression. Attacker can leverage information leaked by compression to recover
170+ targeted parts of the plaintext. To mitigate these attacks, and prevent an
171+ attacker from guessing the CSRF tokens, a random mask is prepended to the token
172+ and used to scramble it.
173+
165174.. _`Cross-site request forgery` : https://en.wikipedia.org/wiki/Cross-site_request_forgery
175+ .. _`BREACH``: https://en.wikipedia.org/wiki/BREACH
176+ .. _`CRIME``: https://en.wikipedia.org/wiki/CRIME
You can’t perform that action at this time.
0 commit comments