All geek questions in one place

Web Application CSRF Protection

I have a CSRF protected application provided by apache modules. My application contains several pages that allow you to download some files, it looks like this:

<form:form method="post" action="my.controller" enctype="multipart/form-data" id="form">

All things worked fine when we upgraded our version of apache from httpd-2.2.3 to httpd-2.2.15 .

I searched for a while and found that the problem could be related to the multipart / form-data strong> parameter in my form. In this case, the form is submitted as unsecured. I also found that spring can handle things as above using MultipartFilter from spring doc http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/ csrf.html # csrf-multipartfilter

I am new to CSRF. It would be nice to know that you can use spring CSRF protection with apache configuration to handle such cases.

I also found a workaround where I can disable CSRF for the necessary URLs, for example

RewriteRule / url / mycontroller.controller - [E = CSRF_IGNORE: yes]

But I'm not sure if this will be correct.

+6
source share
1 answer

Following are the following suggestions:

Please remove enctype if this is not required, since multipart / form-data is not supported in some CSRF libraries, including CSRF Guard.

If you are setting the CSRF token using a hidden attribute, try adding the token to the action attribute. Here is the link: https://code.google.com/p/csrf-filter/

If you are still experiencing the same problem, you may need to exclude the URL from the CSRF check.

+1
source

Source: https://habr.com/ru/post/970610/

More articles:


All Articles