mod_csrf  
         

Cross-site request forgery (CSRF) attacks try to force a user to send data to a Web application in which the user has currently an authenticated session (the user has logged on) in order to execute actions the used did not want. These kind of attacks are sometimes performed by sending somebody a manipulated hyperlink by email or by storing malicious HTML links within a Web site, e.g., a public forum or blog.

The mod_csrf project implements protection measurements against CSRF attacks. It can be installed on your Apache Web server to help to protect your users from such an attack. The project provides two components:

  • A JavaScript which injects a unique (per user/per session) request identifier to HTTP request. The identifier is added to evey HTML form, hyperlink ("a" tag by default/list of attributes may be extended), as well as Ajax request.
  • An Apache module which may be used to verify that HTTP requests do contain this unique identifier injected by the JavaScript. The module can also be configured to validate the HTTP referer header in addition.

mod_csrf is an open source software licensed under the GNU Lesser General Public License. Downloads are handled by SourceForge.net.

Module Directives

  • CSRF_Enable 'on'|'off'
    Enables or disables the module on a per server or location basis. Default is 'on'.
  • CSRF_EnableReferer 'on'|'off'
    mod_csrf may deny requests whose HTTP Host and Referer header do not contain the very same hostname. This referer header check is enabled by default.
  • CSRF_Action 'deny'|'log'
    Defines the action to take when a request does violates the configured rules. Default is 'deny'.
  • CSRF_PassPhrase <string>
    Used for to encrypt the mod_csrf request identifier. Default is a non-persistent random passphrase.
  • CSRF_Timeout <seconds>
    The validity period of the csrf request identifier injected by the JavaScript. Default is 3600 seconds.
  • CSRF_ScriptPath <path>
    URL path to the JavaScript to include to each HTML which is then used to inject the mod_csrf request identifier. Default path is '/csrf.js'.

Module Variables

  • CSRF_IGNORE
    The module enforces that every request containing arguments (query string or request body parameter) also contains the request identifier injected by the JavaScript. Somce handler (URL patterns) such as those with the ending *.jpg, *.png, *.css, etc. are excluded from this rule. You may exclude additional requests by setting this environment using mod_setenvif or mod_setenvifplus.
    Example:
      SetEnviIf Request_URI /startpage.html CSRF_IGNORE=yes
  • CSRF_ATTRIBUTE
    This environment variable defines the content within the request identifier. It may be set using mod_setenvif or mod_setenvifplus and may contain values such as the user name or a session cookie.
    Example:
      SetEnvIfPlus Remote_User (.*) CSRF_ATTRIBUTE=$1
  • UNIQUE_ID
    A unique request id generated by mod_uniqueid which is (if available) used within log messages written by mod_csrf. We recommend to use this id within the transaction log as well.
    Example:
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\" \"%{Referer}i\" %T id=%{UNIQUE_ID}e %{CSRF_ATTRIBUTE}e #%P"
 

© 2012, Pascal Buchbinder / Christoph Steigmeier