Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
Cutelyst2Qt5CSRFProtection(5) File Formats ManualCutelyst2Qt5CSRFProtection(5)

       Cutelyst2Qt5CSRFProtection - Configuration of the CSRFProtection	Plugin
       for the Cutelyst	Web Framework

       The CSRFProtection plugin implements a synchronizer token pattern (STP)
       to  protect  input forms	against	Cross Site Request Forgery (CSRF/XSRF)
       attacks	   <>.
       This  type of attack occurs when	a malicious website contains a link, a
       form button or some JavaScript that is intended to perform some	action
       on  your	 website, using	the credentials	of a logged-in user who	visits
       the malicious site in their browser.

       There are some options you can set in  your  application	 configuration
       file in the Cutelyst_CSRFProtection_Plugin section.

       cookie_age (integer value, default: 31449600)
	   The age/expiration time of the cookie in seconds.

	   The	reason	for  setting  a	long-lived expiration time is to avoid
	   problems in the case	of a user closing a browser or	bookmarking  a
	   page	 and then loading that page from a browser cache. Without per-
	   sistent cookies, the	form submission	would fail in this case.

	   Some	browsers (specifically Internet	Explorer) can disallow the use
	   of  persistent  cookies  or	can have the indexes to	the cookie jar
	   corrupted on	disk, thereby causing CSRF protection checks to	(some-
	   times intermittently) fail. Change this setting to @c 0 to use ses-
	   sion-based CSRF cookies, which keep the cookies  in-memory  instead
	   of on persistent storage.

       cookie_domain (string value, default: empty)
	   The	domain	to  be	used when setting the CSRF cookie. This	can be
	   useful for easily allowing cross-subdomain requests to be  excluded
	   from	the normal cross site request forgery protection. It should be
	   set to a string such	as "" to allow a POST request from
	   a  form  on	one subdomain to be accepted by	a view served from an-
	   other subdomain.

	   Please note that the	presence of this setting does not  imply  that
	   the CSRF protection is safe from cross-subdomain attacks by default
	   - please see	the NOTES section.

       cookie_secure (boolean value, default: false)
	   Whether to use a secure cookie for the CSRF cookie. If this is  set
	   to  true, the cookie	will be	marked as secure, which	means browsers
	   may ensure that the cookie is only sent with	an HTTPS connection.

       trusted_origins (string list, default: empty)
	   A comma separated list of hosts which are trusted origins  for  un-
	   safe	 requests  (e.g.  POST). For a secure unsafe request, the CSRF
	   protection requires that the	request	have  a	 Referer  header  that
	   matches  the	 origin	present	in the Host header. This prevents, for
	   example, a POST request from from  succeeding
	   against  If you need cross-origin unsafe requests
	   over	HTTPS, continuing the example, add ""  to
	   this	 list.	The setting also supports subdomains, so you could add
	   "", for example,	to allow access	from all subdomains of

       log_failed_ip (boolean value, default: false)
	   If  this is set to true, the	log output for failed checks will con-
	   tain	the IP address of the remote client.


       Subdomains within a site	will be	able to	set cookies on the client  for
       the  whole  domain. By setting the cookie and using a corresponding to-
       ken, subdomains will be able to circumvent  the	CSRF  protection.  The
       only  way  to avoid this	is to ensure that subdomains are controlled by
       trusted users (or, are at least unable to set cookies). Note that  even
       without	CSRF,  there  are other	vulnerabilities, such as session fixa-
       tion, that make giving subdomains to untrusted parties a	bad idea,  and
       these vulnerabilities cannot easily be fixed with current browsers.


Cutelyst2Qt5CSRFProtection 2.11.0 2018-01-11	 Cutelyst2Qt5CSRFProtection(5)


Want to link to this manual page? Use this URL:

home | help