Loading...
Sunday, June 10, 2012
Home » Apache Security » Secure Web Servers » Web Security » Web Server » mod_csrf -Apache module to prevent cross-site request forgery.

mod_csrf -Apache module to prevent cross-site request forgery.


mod_csrf is a module for the Apache Web server. It prevents cross-site request forgery attacks to vulnerable HTML forms.


The mod_csrf project implements protection measurements against cross-site request forgery (CSRF) attacks. The project provides two components:
  • A JavaScript which injects a unique request (per user/per session) id to HTTP request. The request id is added to evey HTML form, hyperlink ("a" tag by default/list of attributes may be extended), as well as Ajax request.
  • An Apache module which may be used to verify that HTTP requests do contain this unique id injected by the JavaScript.

mod_csrf is an open source software licensed under the GNU Lesser General Public License. Downloads are handled bySourceForge.net.

Module Directives

  • CSRF_Enable 'on'|'off'
    Enables or disables the module on a per server or location basis. Default is 'on'.
  • CSRF_EnableReferer 'on'|'off'
    mod_csrf may deny requests whose HTTP Host and Referer header do not contain the very same hostname. This referer header check is enabled by default.
  • CSRF_Action 'deny'|'log'
    Defines the action to take when a request does violates the configured rules. Default is 'deny'.
  • CSRF_PassPhrase <string>
    Used for to encrypt the mod_csrf request id. Default is a non-persistent random passphrase.
  • CSRF_Timeout <seconds>
    The validity period of the csrf request id injected by the JavaScript. Default is 3600 seconds.
  • CSRF_ScriptPath <path>
    URL path to the JavaScript to include to each HTML which is then used to inject the mod_csrf request id. Default path is '/csrf.js'.

Module Variables

  • CSRF_IGNORE
    The module enforces that every request containing arguments (query string or request body parameter) also contains the request id injected by the JavaScript. Somce handler (URL patterns) such as those with the ending *.jpg, *.png, *.css, etc. are excluded from this rule. You may exclude additional requests by setting this environment using mod_setenvif or mod_setenvifplus.
    Example:
      SetEnviIf Request_URI /startpage.html CSRF_IGNORE=yes
  • CSRF_ATTRIBUTE
    This environment variable defines the content within the request id. It may be set using mod_setenvif or mod_setenvifplus and may contain values such as the user name or a session cookie.
    Example:
      SetEnvIfPlus Remote_User (.*) CSRF_ATTRIBUTE=$1
  • UNIQUE_ID
    A unique request id generated by mod_uniqueid which is (if availabled) used within log messages written by mod_csrf. We recommend to use this id within the transaction log as well.
    Example:
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\" \"%{Referer}i\" %T id=%{UNIQUE_ID}e %{CSRF_ATTRIBUTE}e #%P"
Source -
Posted by at 6:52 AM
Information Security , , ,
Share:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
TOP