cors csrf same-origin-policy websecurity

Does a proper CORS setup prevent CSRF attack?

If CORS is properly setup on a server to only allow a certain origins to access the server,

Is this enough to prevent CSRF attacks?

Solution

To be more specific, it is easy to make the mistake of thinking that if evil.example cannot make a request to good.example due to CORS then CSRF is prevented. There are two problems being overlooked, however:

CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.example make a request to good.example. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.
Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.example that POSTs back to good.example will still work despite CORS.

For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.

Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?
CORS Configuration not working in WSO2 API Manager for Oauth2/token API
Google Web App Only Logging When Accessed Via Browser
Access to web manifest blocked by CORS policy
Forbidden access error: following Directus SDK tutorial
Why are my getting a preflight/Option request between server to server POST request
Angular CORS with Django
Access to XMLHttpRequest at '...' from origin 'localhost:3000' has been blocked by CORS policy
How to enable CORS with AWS SAM
CORS header ‘Access-Control-Allow-Origin’ missing error for new Cloudfare domain
Django Vue Js Axios has been blocked by CORS policy
How to properly allow CORS origin in Symfony API
CORS configuration for signalr UI client
Amazon s3 Javascript- No 'Access-Control-Allow-Origin' header is present on the requested resource
how to overcome CORS error in IONIC Vue 3 android build?
Why is an OPTIONS request sent and can I disable it?
Spring Boot Cors behind reverse-proxy on non-default port
CORS error accessing ASP.NET Core 8 Web API from Angular front-end
CORS issue, Cross origin error in spring boot. How do I allow CORS
No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
How to manually add response Access-Control-Allow headers to preflight requests
Cors Policy error in nestjs with react frontend
How to apply CORS preflight cache to an entire domain
CORS error on same domain?
CORS violation occuring in safari, but not chrome
CORS header 'Access-Control-Allow-Origin' does not match '*, *'
CORS issue from React frontend calling Flask server
Unable to configure NGINX to handle CORS
Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
Restrict api access in Node JS express