I am rather not skilled in doing anything with apache, yet have been charged with the task of configuring against csrf attacks. I have been able to build and insert mod_csrf in the server though I am at a loss as to how to proceed. Further to that, I am not sure if I need to install both mod_clientid (I haven't installed it yet) or mod_parp as per this message:
[warn] mod_csrf(001): mod_parp not available
Or, do I need to also install mod_setenvif/mod_setenvifplus and/or mod_uniqueid as well.
So far, this is the only configuration I have setup:
My actual questions would be:
Does mod_csrf append the csrf.js automatically or is that something I must include in my source?
Will, if I just use mod_csrf and the included js, mod_csrf be able to validate the request id or will I need to include more modules?
Is the IfModule sufficient or do I need to apply the flags to the <virtualhost> sections also</virtualhost>
Please forgive my ignorance. Apache is quite foreign to me as I typically never touch the UI side of things, let alone the infrastructure around the UI.
Regards,
-dave hojo
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The usage of mod_parp is highly recommended in order to support HTML forms (where the browser submits the injected ID in the HTTP request body).
mod_csrf injects the URL of the JavaScript into HTML pages itself. The CSRF_ScriptPath directive defines the path which shall be used (this is the URL used by the browser to download the file from your Web server => guess you should be /js/csrf.js).
You also need to define the user identifying data. The ID must be unique for every user / session not allowing anybody to inject any ID.
Example:
SetEnvIf Remote_Addr (.*) CSRF_ATTRIBUTE=$1
Last edit: Pascal Buchbinder 2014-06-27
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am rather not skilled in doing anything with apache, yet have been charged with the task of configuring against csrf attacks. I have been able to build and insert mod_csrf in the server though I am at a loss as to how to proceed. Further to that, I am not sure if I need to install both mod_clientid (I haven't installed it yet) or mod_parp as per this message:
[warn] mod_csrf(001): mod_parp not available
Or, do I need to also install mod_setenvif/mod_setenvifplus and/or mod_uniqueid as well.
So far, this is the only configuration I have setup:
<ifmodule mod_csrf.c="">
CSRF_Enable 'on'
CSRF_ScriptPath /var/www/html/js/csrf.js
</ifmodule>
My actual questions would be:
Does mod_csrf append the csrf.js automatically or is that something I must include in my source?
Will, if I just use mod_csrf and the included js, mod_csrf be able to validate the request id or will I need to include more modules?
Is the IfModule sufficient or do I need to apply the flags to the <virtualhost> sections also</virtualhost>
Please forgive my ignorance. Apache is quite foreign to me as I typically never touch the UI side of things, let alone the infrastructure around the UI.
Regards,
-dave hojo
The usage of mod_parp is highly recommended in order to support HTML forms (where the browser submits the injected ID in the HTTP request body).
mod_csrf injects the URL of the JavaScript into HTML pages itself. The CSRF_ScriptPath directive defines the path which shall be used (this is the URL used by the browser to download the file from your Web server => guess you should be /js/csrf.js).
You also need to define the user identifying data. The ID must be unique for every user / session not allowing anybody to inject any ID.
Example:
Last edit: Pascal Buchbinder 2014-06-27
I have managed to get my configuration going though I have another, new issue. I'll post a new thread. Thanks for clarifying the need for mod_parp.