CSRF: Protecting EUDI Wallet Web Applications from Forged Requests

Cross-Site Request Forgery (CSRF or XSRF) is a web security vulnerability that exploits the trust a web application places in an authenticated user's browser. In a CSRF attack, a malicious website, email, or application causes the user's browser to perform an unwanted action on a trusted site where the user is currently authenticated. Because the browser automatically includes session credentials (cookies, HTTP authentication) with requests, the target application cannot distinguish between legitimate and forged requests without specific countermeasures. For EUDI Wallet web portals that manage credentials, consent, and identity data, CSRF protection is a critical security requirement.

A CSRF attack typically follows these steps: The victim authenticates to the target web application (e.g., their EUDI Wallet management portal) and receives a session cookie. While still authenticated, the victim visits a malicious website controlled by the attacker. The malicious website contains code (hidden forms, image tags, or JavaScript) that automatically sends a request to the target application. The victim's browser automatically includes the session cookie with this request. The target application receives what appears to be a legitimate, authenticated request and processes it.

The key insight is that the attacker does not need to steal the session cookie or break any encryption. They simply exploit the browser's behavior of automatically attaching cookies to requests. The attack succeeds because the server trusts that any request with a valid session cookie was intentionally made by the user.

In the EUDI Wallet context, potential CSRF attack targets include changing account settings (email, phone number), revoking or deleting credentials, modifying consent preferences, initiating credential sharing, or linking the wallet to a new device. Each of these operations could have severe consequences if performed without the user's knowledge.

EUDI Wallet web applications implement multiple layers of CSRF protection:

• •Synchronizer Token Pattern: The server generates a unique, cryptographically random token for each user session and embeds it in every form as a hidden field. When the form is submitted, the server validates that the token matches. Since the attacker cannot read the token from another domain (blocked by same-origin policy), they cannot include it in forged requests.
• •SameSite Cookie Attribute: Setting session cookies with SameSite=Strict or SameSite=Lax instructs the browser not to send the cookie with cross-site requests. This is the most effective single defense against CSRF, as it prevents the browser from attaching session credentials to forged requests entirely.
• •Origin Header Validation: The server checks the Origin and Referer headers on incoming requests to verify they originate from the expected domain. Requests from unexpected origins are rejected.
• •Custom Request Headers: For AJAX/API requests, requiring a custom header (like X-CSRF-Token) provides additional protection because cross-origin requests with custom headers trigger CORS preflight checks, which the attacker's domain would fail.

Modern EUDI Wallet web applications often use token-based authentication (JWT or OAuth 2.0 access tokens) instead of session cookies for API communication. When tokens are stored in JavaScript memory (not cookies) and sent via Authorization headers, traditional CSRF attacks do not apply because the browser does not automatically include Authorization headers with cross-origin requests.

However, CSRF remains relevant for cookie-based authentication flows, server-rendered pages (such as consent management dashboards), and OAuth authorization endpoints. The EUDI Wallet reference implementation ensures all state-changing endpoints are protected regardless of the authentication mechanism used, following the defense-in-depth principle. Regular security audits verify that CSRF protections are correctly implemented across all wallet service endpoints.