httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Cross-Site Request Forgery
Date Mon, 20 Feb 2012 15:00:32 GMT
On Mon, Feb 20, 2012 at 2:26 PM, Mark Montague <mark@catseye.org> wrote:
> On the other hand, I could see providing CSRF protection at the web server
> level as being useful, since you then would not need to trust each web
> application author to both completely impelment CSRF protection and to
> implement it correctly.  Does anyone know of ANY web server that provides
> CSRF protection at the web server level?  I'm curious.
>

I'm not aware of one, but one could implement such a scheme in apache,
using mod_session as backend, an output filter detecting the start of
a form tag in responses, groking an internal location and auto
inserting the csrf token, and an input filter refusing POST requests
when the csrf token is not supplied or does not match that in the
session.

I think rewriting forms to insert csrf tokens is a bit 'eeurgh!' personally…

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message