Subdomain CSRF

[lilz-chai]

We're using Flask Security in our application and we're having some trouble with the CSRF token when requests are coming from a different subdomain.

The setup is:

• frontend running on a.domain.com
• backend (using Flask Security) on domain.com
• the CSRF token is passed to the frontend in a cookie

The problem is that the CSRF cookie isn't set on the frontend and subsequently not passed to the backend in further requests (thus failing the CSRF check).
I've read through the documentation but couldn't find any explanation for this use case. There appear to be a lot of configuration values around this but I'm struggling to find the correct combination to get this working.

The current CSRF settings are:

    config["SECURITY_CSRF_COOKIE_NAME"] = "X-CSRF-Cookie"
    config["SECURITY_CSRF_COOKIE"] = {"samesite": "Strict", "httponly": False, "secure": False, "domain": ".[domain.com](http://domain.com/)"}
    config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
    config["SECURITY_REDIRECT_ALLOWED_SUBDOMAINS"] = ["a", "b"]
    config["SECURITY_REDIRECT_BASE_DOMAIN"] = "[domain.com](http://domain.com/)"
    config["SECURITY_CSRF_HEADER"] = "X-CSRF-Header"
    config["SECURITY_CSRF_PROTECT_MECHANISMS"] = ["session"]
    config["WTF_CSRF_TIME_LIMIT"] = 900
    config["WTF_CSRF_CHECK_DEFAULT"] = False
    config["SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS"] = False
    config["WTF_CSRF_HEADERS"] = []

Any help would be greatly appreciated.

[jwag956]

Hi - quick question - I am not familiar with your cookie domain syntax - shouldn't it just be: "domain": "domain.com"
which will include all sub-domains?

Also - I assume that your browser is getting and setting the cookie - it's just that it isn't sending it on POST requests?

[lilz-chai]

Hi - quick question - I am not familiar with your cookie domain syntax - shouldn't it just be: "domain": "domain.com"
which will include all sub-domains?

Howdy
I'm not entirely sure.
I thought the same but when reading around I found sources which say the leading . is required.
When I tested in a browser both seemed to work, however it seems Flask (or Flask Security, or something else in the pipeline) trims the leading .

Also - I assume that your browser is getting and setting the cookie - it's just that it isn't sending it on POST requests?

The browser receives the cookie (a Set-Cookie header is in the response) but doesn't appear to set it.
In the cookie, the Domain directive is domain.com

[lilz-chai]

@jwag956 Sorry to pester but is there any update on this?

[jwag956]

If your browser isn't actually accepting the cookie - then that's the first problem! So - from a browser debug window can you post the entire cookie contents? and maybe the actual request/response headers?

[anntnzrb]

The issue is samesite: "Strict" in your CSRF cookie config. With Strict, browsers won't send cookies on cross-subdomain requests (a.domain.com → domain.com). Change to:

config["SECURITY_CSRF_COOKIE"] = {
    "samesite": "Lax",  # or "None" with secure=True
    "httponly": False,
    "secure": False,  # True if using samesite=None
    "domain": "domain.com"
}

Lax provides CSRF protection while allowing top-level navigation cookies across subdomains.

[lilz-chai]

Interesting. I was under the impression the browser would still honour the domain (for all subdomains) in that instance - although I admit it does sound backwards.
I'll give that a try now, thanks

[lilz-chai]

This did the trick. Thank you