HIGH cross site request forgeryapi keys

Cross Site Request Forgery with Api Keys

Scan your API now

How Cross Site Request Forgery Manifests in API Keys

Cross Site Request Forgery (CSRF) in API keys exploits the trust that servers place in client-side requests. Unlike session-based CSRF where cookies are automatically sent, API key CSRF requires the attacker to trick the victim into including their API key in a malicious request. This typically occurs when API keys are stored in browser storage (localStorage, sessionStorage) or when they're embedded in client-side code.

The most common API key CSRF vector involves storing the key in localStorage and making fetch requests with the Authorization header. When a user visits a malicious website, JavaScript can trigger requests to the target API using the victim's stored API key:

// Malicious site code that exploits API key CSRF
fetch('https://api.target.com/user/profile', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer ' + localStorage.getItem('apiKey'),
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    'role': 'admin',
    'email': '[email protected]'
  })
});

Another variation occurs with API keys embedded in JavaScript files or configuration objects. If an attacker can execute code on a page where the API key is accessible, they can construct requests that modify user data, transfer funds, or escalate privileges:

// API key exposed in client-side config
const API_CONFIG = {
  baseUrl: 'https://api.target.com',
  apiKey: 'sk-1234567890abcdef'
};

// Attacker code that changes user email
fetch(`${API_CONFIG.baseUrl}/users/${userId}`, {
  method: 'PUT',
  headers: {
    'Authorization': `Bearer ${API_CONFIG.apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ email: '[email protected]' })
});

CSRF attacks against API keys are particularly dangerous when the API lacks proper state-changing request validation. Without requiring custom headers, request bodies that change predictably, or re-authentication for sensitive operations, attackers can perform actions like changing passwords, updating payment methods, or transferring ownership of resources.

API Keys-Specific Detection

Detecting API key CSRF vulnerabilities requires examining how keys are stored, transmitted, and validated. The first step is identifying where API keys exist in your application's attack surface. MiddleBrick's black-box scanning approach tests for CSRF vulnerabilities by attempting state-changing operations without proper anti-CSRF tokens or custom headers.

Key detection patterns include:

  • Storage analysis: Keys in localStorage, sessionStorage, or cookies without HttpOnly flags
  • Client-side exposure: Keys embedded in JavaScript bundles or accessible via window objects
  • Request validation: APIs that accept state-changing requests with only Authorization headers
  • Same-origin policy bypass: APIs that don't validate Origin or Referer headers

MiddleBrick scans specifically test for these vulnerabilities by:

# Example scan output showing CSRF vulnerability
{
  "category": "Authentication",
  "severity": "high",
  "finding": "API key stored in localStorage allows CSRF attacks",
  "remediation": "Move API key storage to HttpOnly cookies or use double-submit cookie pattern",
  "evidence": "Successful state-changing request without anti-CSRF token"
}

Manual testing should include attempting to change user settings, update profile information, or perform financial transactions from a different origin. Tools like Burp Suite or OWASP ZAP can help automate CSRF detection by modifying request headers and analyzing server responses.

API keys in mobile applications face similar risks when the app makes requests from web views or when keys are embedded in JavaScript that runs in hybrid app contexts. The detection approach remains the same: can an attacker trigger state-changing operations without proper anti-CSRF protections?

API Keys-Specific Remediation

Remediating API key CSRF requires implementing protections that make it difficult for attackers to forge valid requests. The most effective approach combines multiple defenses:

1. Move API keys to HttpOnly cookies: This prevents JavaScript from accessing the key, eliminating the primary CSRF vector:

// Server-side cookie setting
const http = require('http');

http.createServer((req, res) => {
  res.setHeader('Set-Cookie', [
    'apiKey=sk-1234567890abcdef; HttpOnly; Secure; SameSite=Strict',
    'csrfToken=abc123; Secure; SameSite=Strict'
  ]);
  res.writeHead(200, { 'Content-Type': 'application/json' });
  res.end(JSON.stringify({ message: 'Authenticated' }));
}).listen(3000);

2. Implement double-submit cookie pattern: Send the API key in a cookie and a matching token in a custom header:

// Client-side request with double-submit
fetch('https://api.target.com/user/profile', {
  method: 'POST',
  headers: {
    'X-CSRF-Token': 'abc123', // Must match cookie value
    'Content-Type': 'application/json'
  },
  credentials: 'include' // Sends HttpOnly cookie
});

3. Use custom request headers: Require non-standard headers that attackers cannot easily forge:

// Server-side validation
app.use((req, res, next) => {
  if (req.method !== 'GET' && !req.headers['x-custom-api-key']) {
    return res.status(403).json({ error: 'Missing custom header' });
  }
  next();
});

4. Implement origin validation: Check the Origin or Referer headers for state-changing requests:

// Middleware to validate request origin
function validateOrigin(req, res, next) {
  const allowedOrigins = ['https://yourdomain.com'];
  const origin = req.headers.origin || req.headers.referer;
  
  if (req.method !== 'GET' && !allowedOrigins.includes(origin)) {
    return res.status(403).json({ error: 'Invalid origin' });
  }
  next();
}

5. Require re-authentication for sensitive operations: Even with API keys, prompt for additional verification before critical changes:

// Two-factor for sensitive changes
app.put('/user/email', (req, res) => {
  if (!req.headers['x-2fa-code']) {
    return res.status(403).json({ 
      error: 'Two-factor required for email changes',
      prompt: 'Enter 2FA code'
    });
  }
  // Validate 2FA code...
});

The most robust solution combines HttpOnly cookies with custom headers and origin validation. This multi-layered approach ensures that even if one defense fails, others remain to protect against CSRF attacks on API keys.

Scan your API now Free API security scan

Frequently Asked Questions

Can API keys be protected from CSRF using CORS alone?
No, CORS only controls which origins can make requests to your API, but it doesn't prevent CSRF attacks. CORS headers like Access-Control-Allow-Origin don't stop malicious sites from making requests with stolen API keys. You need additional protections like HttpOnly cookies, custom headers, or anti-CSRF tokens to properly defend against CSRF.
Should I store API keys in localStorage or sessionStorage for client-side applications?
Never store API keys in localStorage or sessionStorage for applications that make state-changing requests. These storage mechanisms are vulnerable to XSS and CSRF attacks. Instead, use HttpOnly cookies for API keys or implement a backend proxy that handles authentication, keeping keys completely out of client-side code.

Related Pages

Cross Site Request Forgery in APIsLearn how Cross Site Request Forgery (CSRF) attacks exploit API trust relationships and how to protect your endpoints wiApi Keys API SecurityAPI keys are simple but risky. Learn common misconfigurations like hardcoded keys, logging exposure, and missing rate liCross Site Request Forgery on AwsCross Site Request Forgery in AWS applications: detect and prevent CSRF attacks on Lambda functions, API Gateway, and CoCross Site Request Forgery on AzureLearn how Cross Site Request Forgery attacks Azure environments, including Azure Functions, API Management, and Logic ApHipaa: Cross Site Request ForgeryLearn how CSRF attacks can violate HIPAA by compromising PHI in healthcare APIs, including detection via middleBrick andCis: Cross Site Request ForgeryLearn how CSRF exploits cross-site trust in APIs, how middleBrick detects missing protections, and implement fixes usingGdpr: Cross Site Request ForgeryLearn how CSRF vulnerabilities in APIs can trigger GDPR breaches, how to detect them with middleBrick, and implement fixIso 27001: Cross Site Request ForgeryLearn how ISO 27001 relates to CSRF in APIs, detection via middleBrick, and code fixes using tokens and SameSite attribuCross Site Request Forgery in Adonisjs with Api KeysUnderstand CSRF with API keys in AdonisJS and apply key-only auth, scoped keys, and origin checks. See concrete AdonisJSCross Site Request Forgery in Axum with Api KeysCSRF with API keys in Axum: risks and remediation. Secure header and origin validation examples.Cross Site Request Forgery in Buffalo with Api KeysCSRF in Buffalo with API keys: risks and remediation, including cookie settings, origin validation, and anti-CSRF tokensCross Site Request Forgery in Actix with Api KeysUnderstand CSRF in Actix with API keys and implement API key-specific fixes including anti-CSRF tokens and strict CORS i