PWA (Service Worker) and "invalid CSRF (Cross Site Request Forgery) token"

Hello :wave:

I want pages to be available for offline usage through a Service Worker, so that the application can be installed as a PWA.

The problem is that I have forms on those pages using CSRF tokens, and those tokens get (I guess) expired at some point. When trying to submit a form with a CSRF token on a page that has been stored a few days ago in the cache, I get the following error:

Plug.CSRFProtection.InvalidCSRFTokenError
invalid CSRF (Cross Site Request Forgery) token, make sure all requests include a valid ‘_csrf_token’ param or ‘x-csrf-token’ header

I’m coming to the conclusion that I can’t store those pages offline; but even my homepage has a form… almost all pages of this app have a form.
So I’d rather have to disable the plug at all; but then I’m not sure to what security risks I expose my app. Or maybe I have to disable the date expiration part of the plug only, is that even possible though?

What is my best option? Any ideas are welcome.

1 Like

Hi @thojanssens1

I found this cheat sheet that may provide a better help for your question, it’s the recommendations from oswap the organization that create web security proposals.

Here is the link https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html