Understanding CSRF

The attacker has no way to get the token. Therefore the requests won’t take any effect. I recommend this post from Gnucitizen. It has a pretty decent CSRF explanation: http://www.gnucitizen.org/blog/csrf-demystified/

Am I under risk of CSRF attacks in a POST form that doesn’t require the user to be logged in?

There’s means of CSRF whenever malicious HTML or JavaScript which is targeted on your website is been embedded in another HTML page (or an email message) which is been successfully executed. An example is the following which is been placed in another webpage which innocently asks for your name and age before proceeding: <form action=”http://yoursite.com/transferfunds” … Read more

Has Hardware Lock Elision gone forever due to Spectre Mitigation?

So, TSX may be disabled not to mitigate Spectre, but as a part of another vulnerability mitigation, TSX Asynchronous Abort (TAA). Here’s relevant article on Intel website: IntelĀ® Transactional Synchronization Extensions (IntelĀ® TSX) Asynchronous Abort / CVE-2019-11135 / INTEL-SA-00270 Which links to two more detailed articles: TSX Asynchronous Abort (TAA) CVE-2019-11135 Microarchitectural Store Buffer Data … Read more

Should be used for JSF 2.2 CSRF protection?

I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF This implicit protection is on POST requests only (i.e. pages with <h:form>). On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages. <protected-views> … Read more