The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: Referer Header (CSRF) - Please Help!!  (Read 227 times)

ozzy13

  • Newbie
  • *
  • Offline Offline
  • Posts: 2
Referer Header (CSRF) - Please Help!!
« on: March 05, 2018, 09:51:06 AM »

Hello Peeps!!

I've a query regarding Referer Header validation (CSRF) vulnerability. I want to know if this can be fixed in the apache config without mod_security? I'm not keen on using mod_security due to its complexity.

TIA.
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 828
Re: Referer Header (CSRF) - Please Help!!
« Reply #1 on: March 06, 2018, 05:39:13 AM »

After reading a few things about CSRF it's not really Apache's job to protect. The reason mod_security can protect against c/xsrf is because it actually inspects the request for a great many things.  It's more the browsers and web apps job to make sure these things are coming from the right origin. Nothing should ever depend on the Referrer for granting  anything because the headers can be forged.

That said, I suggest you read OWASP's CSRF Prevention Cheat Sheet.

Also, there are Headers you can set to tell browsers how to behave when it comes to your server/site.
See https://securityheaders.io/. Run a scan on your site and when you get your score, the page in the bottom section has links to explain the various headers. In the case of CSRF, XSS is not always required but quite often helps pull off the attack. There's a header for it. "X-XSS-Protection: 1; mode=block".

Another would be Referrer-Policy. It has a few options and the link for the explanation is also in that bottom section.


This is what I use on my server (which isn't this one).
Code: [Select]
Header set Content-Security-Policy "default-src 'self' mydomain.net *.mydomain.net; img-src 'self' data:; style-src 'self' mydomain.net *.mydomain.net; frame-ancestors 'self'"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=30; report-uri=\"https://www.mydomain.net/ct/report\""
Header always set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=63072000;"

I get an A+ grade at securityheaders.io.
Logged

ozzy13

  • Newbie
  • *
  • Offline Offline
  • Posts: 2
Re: Referer Header (CSRF) - Please Help!!
« Reply #2 on: March 07, 2018, 07:57:42 AM »

Hi Gregg. Thanks for your response.

I've tried the below config but it didnt work as per what I want.

Basically, I want to emulate below rule without using mod_security.

SecRule REQUEST_HEADERS:Referer "!@contains ://%{SERVER_NAME}/" \
"id:432010,phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403"

Which means if the request headers is anything apart from my domain/server name, it will be forbidden.

Are there any other modules to support the setting?

Thanks
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 574
Re: Referer Header (CSRF) - Please Help!!
« Reply #3 on: March 09, 2018, 08:51:23 AM »

You can do that with htaccess or in your server config

Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]

# disallow access to this file if the referrer is not set.
RewriteRule ^skript.php$ [F]

# disallow by file endings
RewriteRule .(jpe?g|gif|bmp|png)$ - [F]
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13