Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOCS-9362 Fix the CSRF page #1624

Merged
merged 12 commits into from
Oct 17, 2024
Merged

DOCS-9362 Fix the CSRF page #1624

merged 12 commits into from
Oct 17, 2024

Conversation

jescalan
Copy link
Contributor

@jescalan jescalan commented Oct 10, 2024

Explanation:

The CSRF page contained inaccurate links and inaccurate statements, and generally didn't adequately explain what a CSRF attack is and how Clerk helps to prevent them. This set of edits should fix that up!

Also just food for thought - while Clerk does add a lot of important security guarantees throughout the product, this is one of the less impactful ones, since all we do is use the default value and not change the samesite flag on cookies to an insecure option. To be fair, there are plenty of cases in which people will do this and unwittingly open themselves to attack, but you'd kind of have to go out of your way to make a mistake in order to do so, which is why I say while it's not value-less, it's not our strongest security guarantee. Especially compared with the 1m expiration JWTs substantially hamper XSS attackers, which is a much more unique and impactful security feature of our architecture. And I don't think we really go through and explain that on any of our other docs pages, other than a VERY small mention here 🤷‍♂️

@jescalan jescalan requested a review from a team as a code owner October 10, 2024 21:53
Copy link

Hey, here’s your docs preview: https://clerk.com/docs/pr/1624

docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
docs/security/csrf-protection.mdx Outdated Show resolved Hide resolved
@alexisintech alexisintech changed the title Fix the CSRF page DOCS-9362 Fix the CSRF page Oct 15, 2024
@jescalan jescalan requested a review from alexisintech October 15, 2024 18:51
Copy link
Contributor

@victoriaxyz victoriaxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved pending @alexisintech 👀

@alexisintech alexisintech merged commit 750695d into main Oct 17, 2024
3 checks passed
@alexisintech alexisintech deleted the je.fix-csrf-page branch October 17, 2024 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants