New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom request header to prevent CSRF #4987

Merged
merged 1 commit into from Aug 10, 2018

Conversation

Projects
None yet
3 participants
@edmundoa
Copy link
Member

edmundoa commented Aug 9, 2018

Improve our protection against CSRF by requiring a custom request header (X-Requested-By) in all non-GET requests sent to our API. This is mentioned as a way of CSRF prevention [1] and it is particularly suitable for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

Add custom request header to prevent CSRF
Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

@edmundoa edmundoa added this to the 3.0.0 milestone Aug 9, 2018

@edmundoa edmundoa requested review from bernd and kmerz Aug 9, 2018

@kmerz

This comment has been minimized.

Copy link
Member

kmerz commented Aug 10, 2018

I only add this for documentation purpose. Because I got a better understanding of that fix by reading this pdf:

https://seclab.stanford.edu/websec/csrf/csrf.pdf

Custom HTTP headers can be used to prevent CSRF because
the browser prevents sites from sending custom HTTP
headers to another site but allows sites to send custom HTTP
headers to themselves using XMLHttpRequest. For example,
the prototype.js JavaScript library [45] uses this approach
and attaches the X-Requested-By header with the
value XMLHttpRequest. Google Web Toolkit also recommends
[16] that web developers defend against CSRF attacks
by attaching a X-XSRF-Cookie header to XMLHttpRequets
that contains a cookie value. The cookie value is not actually
required to prevent CSRF attacks: the mere presence
of the header is sufficient.

@kmerz

kmerz approved these changes Aug 10, 2018

@bernd bernd self-assigned this Aug 10, 2018

@bernd

This comment has been minimized.

Copy link
Member

bernd commented Aug 10, 2018

I will test this today.

@bernd

bernd approved these changes Aug 10, 2018

Copy link
Member

bernd left a comment

LGTM, thank you! 👍

@bernd bernd merged commit 740146f into master Aug 10, 2018

5 checks passed

ci-web-linter Jenkins build graylog-pr-linter-check 2660 has succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
graylog-project/pr Jenkins build graylog-project-pr-snapshot 1696 has succeeded
Details
license/cla Contributor License Agreement is signed.
Details

@bernd bernd deleted the csrf-prevention branch Aug 10, 2018

edmundoa added a commit that referenced this pull request Aug 15, 2018

Add custom request header to prevent CSRF (#4987)
Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

bernd added a commit that referenced this pull request Aug 17, 2018

Add custom request header to prevent CSRF (#4998)
* Add custom request header to prevent CSRF (#4987)

Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

* Include CSRF HTTP header in upgrading document

mpfz0r added a commit that referenced this pull request Oct 9, 2018

Add CSRF backward compatibility for older Sidecars
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987

bernd added a commit that referenced this pull request Oct 10, 2018

Add CSRF backward compatibility for older Sidecars (#5185)
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987

mpfz0r added a commit that referenced this pull request Dec 7, 2018

Add CSRF backward compatibility for older Sidecars
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987

bernd added a commit that referenced this pull request Dec 10, 2018

Add CSRF backward compatibility for older Sidecars (#5388)
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment