ASVS Requirement 3.5.1

• Level: 1
• Chapter: V3 Web Frontend Security
• Section: V3.5 Browser Origin Separation
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that, if the application does not rely on the CORS preflight mechanism to prevent disallowed cross-origin requests to use sensitive functionality, these requests are validated to ensure they originate from the application itself. This may be done by using and validating anti-forgery tokens or requiring extra HTTP header fields that are not CORS-safelisted request-header fields. This is to defend against browser-based request forgery attacks, commonly known as cross-site request forgery (CSRF).