On Mon, Feb 20, 2012 at 2:26 PM, Mark Montague <mark@xxxxxxxxxxx> wrote: > On the other hand, I could see providing CSRF protection at the web server > level as being useful, since you then would not need to trust each web > application author to both completely impelment CSRF protection and to > implement it correctly. Does anyone know of ANY web server that provides > CSRF protection at the web server level? I'm curious. > I'm not aware of one, but one could implement such a scheme in apache, using mod_session as backend, an output filter detecting the start of a form tag in responses, groking an internal location and auto inserting the csrf token, and an input filter refusing POST requests when the csrf token is not supplied or does not match that in the session. I think rewriting forms to insert csrf tokens is a bit 'eeurgh!' personally… Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|