Forum
CSRF prevention
Hugo Leisink
30 October 2008, 00:38
Since version 6.10, Hiawatha has protection against Cross-Site Request Forgery. You can turn this feature on per virtual host:
If it's turned on, Hiawatha will not send cookies to a CGI process when a POST request has been received with a hostname from the Referer HTTP header not matching the Host HTTP header line. This will automaticly logout users from that website. I choose to only protect against POST-CSRF requests, because 99.99% of all websites use POST requests to add, modify or delete information within the website, not GET requests. Almost all GET requests with a Referer not matching the Host are not dangerous. They are because of a simple and harmless link on one website to another.
VirtualHost {
...
PreventCSRF = yes
}
If it's turned on, Hiawatha will not send cookies to a CGI process when a POST request has been received with a hostname from the Referer HTTP header not matching the Host HTTP header line. This will automaticly logout users from that website. I choose to only protect against POST-CSRF requests, because 99.99% of all websites use POST requests to add, modify or delete information within the website, not GET requests. Almost all GET requests with a Referer not matching the Host are not dangerous. They are because of a simple and harmless link on one website to another.
GiorgioViklo
19 February 2009, 01:49
Hello,
I've just desided to register here, so... hello everyone !
I've just desided to register here, so... hello everyone !
Hugo Leisink
19 February 2009, 10:26
Welcome!
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
