Cross-site request forgery (CSRF ) attacks try to force a user to send data to a Web application in which the user has currently an authenticated session (the user has logged on) in order to execute actions the used did not want. These kind of attacks are sometimes performed by sending somebody a manipulated hyperlink by email or by storing malicious HTML links within a Web site, e.g., a public forum or blog.

The mod_csrf project implements protection measurements against CSRF attacks. It can be installed on your Apache Web server to help to protect your users from such an attack. The project provides two components:

  • A JavaScript which injects a unique (per user/per session) request identifier to HTTP request. The identifier is added to evey HTML form, hyperlink ("a" tag by default/list of attributes may be extended), as well as Ajax request.
  • An Apache module which may be used to verify that HTTP requests do contain this unique identifier injected by the JavaScript. The module can also be configured to validate the HTTP referer header in addition.

mod_csrf is an open source software licensed under the GNU Lesser General Public License. Downloads are handled by

Module Directives

  • CSRF_Enable 'on'|'off'
    Enables or disables the module on a per server or location basis. Default is 'on'.
  • CSRF_EnableReferer 'on'|'off'
    mod_csrf may deny requests whose HTTP Host and Referer header do not contain the very same hostname. This referer header check is enabled by default. Directive can be used on a per server or location basis.
  • CSRF_Action 'deny'|'log'
    Defines the action to take when a request does violates the configured rules. Default is 'deny'. Directive can be used on a per server basis.
  • CSRF_PassPhrase <string>
    Used to encrypt the mod_csrf request identifier. Default is a non-persistent random passphrase. Directive can be used on a per server basis.
  • CSRF_Timeout <seconds>
    The validity period of the csrf request identifier injected by the JavaScript. Default is 3600 seconds. Directive can be used on a per server basis.
  • CSRF_ScriptPath <path>
    URL path to the JavaScript to include to each HTML which is then used to inject the mod_csrf request identifier. Default path is /csrf.js. Directive can be used on a per server or location basis.

Module Variables

    The module enforces that every GET request containing arguments (query string or request body parameter) or any request with another HTTP method (POST,PUT,...) also contains the request identifier injected by the JavaScript. Some handler (URL patterns), such as those with the ending *.jpg, *.png, *.css, etc. are excluded from this rule. You may exclude additional requests by setting this environment using mod_setenvif or mod_setenvifplus .
      SetEnviIf Request_URI /startpage.html CSRF_IGNORE=yes
    In opposite to CSRF_IGNORE, this variable tells mod_csrf to enforce the request identifier check even the request would otherwise been excluded. Use this variable for applications encoding parameters into the URL path.
      SetEnviIf Request_URI /[0-9]+ CSRF_ENFORCE=yes
    This environment variable defines the content (user / session specific data making the identifier unique) within the request identifier. It may be set using mod_setenvif or mod_setenvifplus and may contain values such as the user name or a session cookie.
      SetEnvIfPlus Remote_User (.*) CSRF_ATTRIBUTE=$1
    The modules adds the request identifier to the HTTP Location header if this variable is set.
      ResponseSetEnvIfPlus Location CSRF_REDIRECT
    A unique request id generated by mod_unique_id which is (if available) used within log messages written by mod_csrf. We recommend to use this id within the transaction log as well allowing you to correlate log messages.
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\" \"%{Referer}i\" %T id=%{UNIQUE_ID}e %{CSRF_ATTRIBUTE}e #%P"


mod_csrf is an Apache module. You may download the source code of mod_csrf at and build the shared library using apxs .
cd apache2
apxs -i -c mod_csrf.c -lcrypto
mod_csrf uses mod_parp to parse HTTP request data.


© 2012-2016, Pascal Buchbinder / Christoph Steigmeier