This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Mod csrfprotector

From OWASP
Jump to: navigation, search

mod_csrfprotector - Apache 2.x.x Modules for mitigating CSRF attacks

What is mod_csrfprotector

Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross Site Request Forgery attacks. mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

How mod_csrfprotector works?

Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. Input filter follows a protocol as mentioned by developer in configuration, which helps the module to decide weather to validated the request. The input filter checks for appropriate token sent with request. Request if forwarded to other filters or content generator (like php or cgi) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to client. The Output filter, checks for content type of output generated by content generator and if it is `text/html` or `text/xhtml` it appends javascript code to the output. This js code in client side is responsible for attaching CSRFP_token with every required request sent from client.

Features Offered

CSRF Protection provide protection for:

  • Normal HTML forms (POST/GET)
  • Normal Get requests (Not enabled by default)
  • Ajax Requests (XHR)
  • Dynamically generated forms

Damages Mitigated

  • Cross Site Request Forgery

How to contribute

To contribute to the code fork and send a pull to:
GitHub Repo - mod_csrfprotector

For discussions, join our mailing list: - Mailing List

TODOs

All todos for mod_csrfprotector are listed at: todofy: mod_csrfprotector

Current Status

Under Development