Because LiveView doesn’t do a standard POST, I’m trying to figure out how it manages CSRF security. Is some sort of check done any time a form’s “submit” button is pressed? Or maybe all attempts to write data in LiveView go through a check.
I’m trying to understand the security implications of saving form data on events such as click, keypress, etc. In other words, am I still safe if form data is saved outside of a typical button with type “submit”.
Thanks in advance for any guidance!
LV by default includes a signed CSRF token when connecting to the socket which is how each browser instance is being authorized/identified.
Should not be able to connect from a site that was not served via your backend, which protects against those types of attacks.
LiveView is stateful remember, so each request does not need to validate a CSRF/auth token, only the initial socket initialization requires those checks
Thanks, makes sense!
© Copyright Elixir Forum | Terms | Privacy & Cookies
