My Kitchen


What is CSRF?

CSRF stands for Cross-Site Request Forgery. It is a means of crafting a link that you are tricked into clicking on, through email or other means, which execute actions on your account without notification or permission from you. Clicking on such a link could do things like change your email address, your password, your physical address, or alter your account settings. All of these things can compromise your account and cause unwanted and possibly fraudulent activity on your account -- as simple as ordering extra meals on your behalf to as complex as taking over your account and using our system to order their own food on your account.

What do we do about this threat?

As mentioned in the Cookie page, we use a CSRF token system. Every request you generate will be issued a token -- a long alphanumeric string -- that is stored on both ends of the request. When fulfilling that request, we verify that the token is present on both sides before accepting it. The token is generated in a cryptographically secure manner, and is generated for every individual request, be it logging into our website, changing your password, ordering meals, or anything else that can update or alter your account. This doesn't mean we can all ignore this threat entirely, but it does go a long way to mitigate the effects.

Is there anything that you, the customer, needs to do?

As with all online threats, the key is to be wary. Make sure that the website you want to log into is the website shown in the address bar. Be sure that links you click take you to the website you are expecting them to. If ever in doubt, navigate to the website on your own, and navigate to the page you want that way. If all else fails, contact customer support of the website in question and ask for confirmation -- they'll be able to tell you the signs to look for to be sure it's all authentic.