Hi, I'm working on OWASP CSRF Protector Project a part of which intends to provide mitigation against CSRF using an Apache module. I'm currently writing an Apache 2.2 module, and most of it has been covered, while I'm finding difficulty with few. It would be very kind if you could give me a helping hand: I'm facing difficulty with:
1. I need to clear the POST & GET arguments, as an action in case CSRF is observed. I could implement it for GET request easily however I could not figure out same for POST. 2. *mod_csrfprotector *(name of mod) uses output filter to append content to o/p generated by content generator. However I'm unable to set Content-Length header in the same filter. It appears not to be set by then. Its sent as chunked to browser. 3. I need to store tokens in server for validation, for which we are considering to use SQLite or memcached, I'd like to know your views on this. Git repo of the project: https://github.com/mebjas/mod_csrfprotector <https://github.com/mebjas/mod_csrfprotector>, Contributions & feedback are welcome :) Kind Regards, Minhaz, minhaz.cistoner.org