httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] Cross-Site Request Forgery
Date Mon, 20 Feb 2012 14:26:15 GMT
On February 20, 2012 5:50 , Henrik Strand <> wrote:
> What are your best practices against Cross-Site Request Forgery?

Use of a CSRF token as described on the OWASP page you lined in your 
original message.

> Does Apache Httpd support this out-of-the-box (incl. validation of the
> token for each subsequent request until the session expires)?

No.  I could argue that doing that a web server that did this would 
violate the principal of least surprise for web applications and hence 
be likely to cause problems:  generally, web servers don't modify the 
HTML that web applications generate, with a few specific exceptions (for 
example, mod_proxy_html or mod_sed).  A different question might be, are 
there web application frameworks that automatically provide CSRF token 
generation and validation for all web applications that use the 
framework?  Can you choose to write all of the applications that you run 
and have them use such a framework?  Or are you stuck running web 
applications that other people have already written but which have CSRF 
security vulnerabilities which the authors are unwilling or unable to fix?

On the other hand, I could see providing CSRF protection at the web 
server level as being useful, since you then would not need to trust 
each web application author to both completely impelment CSRF protection 
and to implement it correctly.  Does anyone know of ANY web server that 
provides CSRF protection at the web server level?  I'm curious.

   Mark Montague

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message