On February 20, 2012 5:50 , Henrik Strand <henrik.str...@axis.com> wrote:
What are your best practices against Cross-Site Request Forgery?
Use of a CSRF token as described on the OWASP page you lined in your original message.
Does Apache Httpd support this out-of-the-box (incl. validation of the token for each subsequent request until the session expires)?
No. I could argue that doing that a web server that did this would violate the principal of least surprise for web applications and hence be likely to cause problems: generally, web servers don't modify the HTML that web applications generate, with a few specific exceptions (for example, mod_proxy_html or mod_sed). A different question might be, are there web application frameworks that automatically provide CSRF token generation and validation for all web applications that use the framework? Can you choose to write all of the applications that you run and have them use such a framework? Or are you stuck running web applications that other people have already written but which have CSRF security vulnerabilities which the authors are unwilling or unable to fix?
On the other hand, I could see providing CSRF protection at the web server level as being useful, since you then would not need to trust each web application author to both completely impelment CSRF protection and to implement it correctly. Does anyone know of ANY web server that provides CSRF protection at the web server level? I'm curious.
-- Mark Montague m...@catseye.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
