GIAC Foundational Cybersecurity Technologies Practice Test

Disable ads (and more) with a membership for a one time $2.99 payment

Prepare for the GIAC Foundational Cybersecurity Technologies Test. Utilize flashcards and multiple-choice questions, each with detailed hints and explanations to excel. Boost your readiness for the exam!

Each practice test/flash card set has 50 randomly selected questions from a bank of over 500. You'll get a new set of questions each time!

Practice this question and more.


Where should CSRF tokens be placed to ensure security?

  1. In the HTTP headers

  2. As part of the GET request

  3. In the POST request

  4. Within a cookie

The correct answer is: In the POST request

Placing CSRF tokens in the POST request is a highly effective measure for ensuring security against cross-site request forgery attacks. By including the CSRF token in the body of a POST request, the application can verify that the request is coming from an authenticated user who has a valid session. When the server receives the POST request, it can check the CSRF token against the one stored on the server for the user session. If these tokens match, it confirms that the request originated from a legitimate source and not from a malicious site attempting to forge requests on behalf of the user. Utilizing the POST request for CSRF tokens also aligns with best practices because POST requests typically change the state on the server, and thus, it's crucial to ensure that these requests are legitimate. This mechanism prevents attackers from initiating unauthorized actions without the user's consent, thereby safeguarding sensitive operations like form submissions, account changes, or financial transactions. Other placement options may not provide the same level of protection or may introduce vulnerabilities. For example, including the token in a GET request could inadvertently expose it through URL logging or referer headers, while placing it within a cookie would not be as secure, considering cookies can be accessed via JavaScript and might lead to token leakage in XSS