KOBI CSRF
How to prevent attacks : https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
OWASP propose 3 ways to prevent CSRF attacks :
- Use custom request headers
- Verify the origin with standard headers
- Use double submit cookies
Two of these propositions are implemented in KOBI : the “Origin header verification” and the “Double submit cookie”.
In this page we will talk about the “Double submit cookie” verification, Origin verification is done by a separate handler and explained here
Setup
You can setup the CSRF in the Designer, under the “security” tab of your site.
You will find this kind of form :
- secret : a password used for encryption
- cookie-name : the cookie name
- http-only : true is highly recommanded
- secure : true is highly recommanded
- expiration-delay (millisecond) : past this delay the token will be renewed
- refresh-delay (millisecond) : past this delay, the date inside the token will be renewed (the token remain the same)
Don’t use a too short delay for the refresh in order to let the users time to fill forms and submit.
We recommand using “60000” (10 minutes) for the refresh and the double for expiration “1200000” (20 minutes).
Usage
With this configuration Gluer will create a cookie holding an encrypted token for CSRF.
In your components forms you can add a hidden field for CSRF validation that would look like that :
|
|
Gluer will look for “[CSRF]” and rewrite them to insert the CSRF token as a value.
This is the double submit cookie protection, client side you have a cookie and the form value containing the CSRF token.
This mecanism is implemented in the JAVA Kobi-starters, so nothing to do if you’re already using it (@Csrf on your POST handler).
The starter looks for a field named “X-CSRF-TOKEN” by default.
You can overide it by setting a value in the @Csrf annotation.
ex : @Csrf(“my-custom-field”) and <input type="hidden" name="my-custom-field" value="[CSRF]">