alt Hacker NewsRight now the problem is what the author already mentions - the use of Sec-Fetch-Site (FYI, HTTP headers are case insensitive :) - is considered defense in depth in OWASP right now, not a primary protection.
Unfortunately OWASP rules the world. Not because it's the best way to protect your apps, but because the corporate overloads in infosec teams need to check the box with "Complies with OWASP Top 10"
Replies
Since when are they case sensitive? https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/... says otherwise.
It's possible for a server to treat them as case sensitive, but that seems like a bad idea.
The OWASP Top 10 is a list of vulnerabilities, not a checklist of things you have to actually "do".
Can you share links to better guidance than OWASP?
Hi, author here.
This was actually a mistake. If you look at the OWASP cheat sheet today you will see that Fetch Metadata is a top-level alternative to the traditional token-based protection.
I'm not sure I understand why, but the cheat sheet page was modified twice. First it entered the page with a top-level mention. Then someone slipped a revision that downgraded it to defense in depth without anyone noticing. It has now been reverted back to the original version.
Some details on what happened are in this other discussion from a couple of days ago: https://news.ycombinator.com/item?id=46347280.