Forum

This issue is happening on FreeBSD and Centos.

If I browse to my website the Hiawatha's error log is filling with this error:
192.168.4.1|Thu 18 Jun 2015 07:07:25 -0500|/usr/local/www/example.com/public_html/index.php|invalid referer while checking for CSRF

This error is happening about twice per second.

I have these enabled for my VirtualHost
StartFile = index.php
#TimeForCGI = 5
UseFastCGI = PHP5
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes


Any advice or is this expected?

https://github.com/hsleisink/hiawatha/blob/master/src/session.c

Thank you!

Well it looks like commenting out the PreventCSRF stops the log from filling up, but that would be a nice feature to have enabled.

Does your browser block or obfuscate the Referer header? (mostly done via an add-on for privacy reasons)

I use IE and Chrome and both are just the vanilla install. I think this is an issue with my php site, since it is not happening when accessing my html site. I will do some more testing. Thanks again Hugo, but I think this is an issue on my end.

it looks like the open source project osclass implemented anti-csrf protection.

https://github.com/osclass/Osclass/blob/master/oc-includes/osclass/helpers/hSecurity.php

This must be what is 'conflicting' with the Hiawatha Prevent CSRF feature. Hopefully their implementation is as good as your is.