|
1 | 1 | # Easy CSRF prevention using the 'referer' header |
2 | 2 |
|
| 3 | +Cross-Site Request Forgery (CSRF) prevention is a security measure employed by web applications to safeguard against unauthorized commands issued from a trusted user (authenticated user). CSRF attacks exploit the trust a site has in a user's browser, enabling an attacker to execute unwanted actions in a web application in which the user is authenticated. Without CSRF prevention mechanisms in place, a malicious actor could potentially manipulate a user into performing actions they did not intend. |
| 4 | + |
| 5 | +CSRF attacks are more commonly associated with public-facing web applications and not so much with servers running within an Intranet since the attacker would need to know the Intranet address for the server. |
| 6 | + |
| 7 | +This example shows how to implement CSRF prevention using the browser's "referer" header. The example also shows how to implement a CSRF token, but this token is only used for the initial handshake. However, you may optionally choose to use the CSRF token for general CSRF prevention. The token is generated as follows: |
| 8 | + |
| 9 | +``` Lua |
| 10 | +--Create token |
| 11 | +encryptedtoken = ba.aesencode(secret, ba.json.encode{time=ba.datetime"NOW":tostring()}) |
| 12 | + |
| 13 | +--Decode token |
| 14 | +token = ba.json.decode(ba.aesdecode(secret, encryptedtoken) |
| 15 | +``` |
| 16 | + |
| 17 | +The above encrypted token includes a timestamp which the server side can use to verify that the token has not expired. |
| 18 | + |
| 19 | +See the documentation for more information on: |
| 20 | +- [ba.aesencode](https://realtimelogic.com/ba/doc/?url=lua/lua.html#ba_aesencode) |
| 21 | +- [ba.aesdecode](https://realtimelogic.com/ba/doc/?url=lua/lua.html#ba_aesdecode) |
| 22 | +- [ba.json.encode](https://realtimelogic.com/ba/doc/?url=lua/lua.html#json_encode) |
| 23 | +- [ba.json.decode](https://realtimelogic.com/ba/doc/?url=lua/lua.html#json_decode) |
| 24 | +- [ba.datetime](https://realtimelogic.com/ba/doc/?url=lua/lua.html#ba_datetime) |
| 25 | + |
| 26 | +When using the browser's referrer header for CSRF prevention, you need to be aware of your server's name. For an Intranet server, it might be tempting to hard-code this to the server's IP address, but in practice, this can change due to factors like Intranet DNS services or [SharkTrustX](https://realtimelogic.com/products/SharkTrustX/) providing dynamic names. Therefore, simply using the server's IP address for comparison with the referrer header is not reliable. |
| 27 | + |
| 28 | +In our example, we use the CSRF token primarily to discover the server's name dynamically. This could be an IP address or any other identifier; the server could even have multiple names provided by DNS. |
| 29 | + |
| 30 | +The first page the user visits, the [main index page](index.lsp), initiates a trusted handshake to automatically discover the server's name. This page uses support functions from the [.preload](.preload) script to generate a CSRF token and store the server's name. JavaScript in the index page handles this handshake and then redirects the user to [myapp/index.lsp](myapp/index.lsp), which includes an HTML form that is protected using the referrer header. |
| 31 | + |
3 | 32 | Run the example, using the Mako Server, as follows: |
4 | 33 |
|
5 | 34 | ``` shell |
|
0 commit comments