Menu

Configuration help

Hojo
2014-06-27
2014-06-30
  • Hojo

    Hojo - 2014-06-27

    I am rather not skilled in doing anything with apache, yet have been charged with the task of configuring against csrf attacks. I have been able to build and insert mod_csrf in the server though I am at a loss as to how to proceed. Further to that, I am not sure if I need to install both mod_clientid (I haven't installed it yet) or mod_parp as per this message:

    [warn] mod_csrf(001): mod_parp not available

    Or, do I need to also install mod_setenvif/mod_setenvifplus and/or mod_uniqueid as well.

    So far, this is the only configuration I have setup:

    <IfModule mod_csrf.c="">
    CSRF_Enable 'on'
    CSRF_ScriptPath /var/www/html/js/csrf.js
    </IfModule>

    My actual questions would be:
    Does mod_csrf append the csrf.js automatically or is that something I must include in my source?
    Will, if I just use mod_csrf and the included js, mod_csrf be able to validate the request id or will I need to include more modules?
    Is the IfModule sufficient or do I need to apply the flags to the <VirtualHost> sections also

    Please forgive my ignorance. Apache is quite foreign to me as I typically never touch the UI side of things, let alone the infrastructure around the UI.

    Regards,
    -dave hojo

     
  • Pascal Buchbinder

    The usage of mod_parp is highly recommended in order to support HTML forms (where the browser submits the injected ID in the HTTP request body).

    mod_csrf injects the URL of the JavaScript into HTML pages itself. The CSRF_ScriptPath directive defines the path which shall be used (this is the URL used by the browser to download the file from your Web server => guess you should be /js/csrf.js).

    You also need to define the user identifying data. The ID must be unique for every user / session not allowing anybody to inject any ID.

    Example:

    SetEnvIf Remote_Addr (.*) CSRF_ATTRIBUTE=$1
    
     

    Last edit: Pascal Buchbinder 2014-06-27
  • Hojo

    Hojo - 2014-06-30

    I have managed to get my configuration going though I have another, new issue. I'll post a new thread. Thanks for clarifying the need for mod_parp.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.