Text only | Text with Images

The Apache Haus Forum

Forum Topics => Apache 2.4 => Topic started by: ozzy13 on March 05, 2018, 09:51:06 AM

Title: Referer Header (CSRF) - Please Help!!
Post by: ozzy13 on March 05, 2018, 09:51:06 AM
Hello Peeps!!

I've a query regarding Referer Header validation (CSRF) vulnerability. I want to know if this can be fixed in the apache config without mod_security? I'm not keen on using mod_security due to its complexity.

TIA.
Title: Re: Referer Header (CSRF) - Please Help!!
Post by: Gregg on March 06, 2018, 05:39:13 AM
After reading a few things about CSRF it's not really Apache's job to protect. The reason mod_security can protect against c/xsrf is because it actually inspects the request for a great many things.  It's more the browsers and web apps job to make sure these things are coming from the right origin. Nothing should ever depend on the Referrer for granting  anything because the headers can be forged.

That said, I suggest you read OWASP's CSRF Prevention Cheat Sheet (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet).

Also, there are Headers you can set to tell browsers how to behave when it comes to your server/site.
See https://securityheaders.io/. Run a scan on your site and when you get your score, the page in the bottom section has links to explain the various headers. In the case of CSRF, XSS is not always required but quite often helps pull off the attack. There's a header for it. "X-XSS-Protection: 1; mode=block".

Another would be Referrer-Policy. It has a few options and the link for the explanation is also in that bottom section.


This is what I use on my server (which isn't this one).
Code Select

Header set Content-Security-Policy "default-src 'self' mydomain.net *.mydomain.net; img-src 'self' data:; style-src 'self' mydomain.net *.mydomain.net; frame-ancestors 'self'"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=30; report-uri=\"https://www.mydomain.net/ct/report\""
Header always set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=63072000;"


I get an A+ grade at securityheaders.io.
Title: Re: Referer Header (CSRF) - Please Help!!
Post by: ozzy13 on March 07, 2018, 07:57:42 AM
Hi Gregg. Thanks for your response.

I've tried the below config but it didnt work as per what I want.

Basically, I want to emulate below rule without using mod_security.

SecRule REQUEST_HEADERS:Referer "!@contains ://%{SERVER_NAME}/" \
"id:432010,phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403"

Which means if the request headers is anything apart from my domain/server name, it will be forbidden.

Are there any other modules to support the setting?

Thanks
Title: Re: Referer Header (CSRF) - Please Help!!
Post by: mario on March 09, 2018, 08:51:23 AM
You can do that with htaccess or in your server config

Code Select

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]

# disallow access to this file if the referrer is not set.
RewriteRule ^skript.php$ [F]

# disallow by file endings
RewriteRule .(jpe?g|gif|bmp|png)$ - [F]
Text only | Text with Images