Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom request header to prevent CSRF #4987

Merged
merged 1 commit into from Aug 10, 2018
Merged

Add custom request header to prevent CSRF #4987

merged 1 commit into from Aug 10, 2018

Conversation

@edmundoa
Copy link
Member

@edmundoa edmundoa commented Aug 9, 2018

Improve our protection against CSRF by requiring a custom request header (X-Requested-By) in all non-GET requests sent to our API. This is mentioned as a way of CSRF prevention [1] and it is particularly suitable for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
@edmundoa edmundoa added this to the 3.0.0 milestone Aug 9, 2018
@edmundoa edmundoa requested review from bernd and kmerz Aug 9, 2018
@kmerz
Copy link
Member

@kmerz kmerz commented Aug 10, 2018

I only add this for documentation purpose. Because I got a better understanding of that fix by reading this pdf:

https://seclab.stanford.edu/websec/csrf/csrf.pdf

Custom HTTP headers can be used to prevent CSRF because
the browser prevents sites from sending custom HTTP
headers to another site but allows sites to send custom HTTP
headers to themselves using XMLHttpRequest. For example,
the prototype.js JavaScript library [45] uses this approach
and attaches the X-Requested-By header with the
value XMLHttpRequest. Google Web Toolkit also recommends
[16] that web developers defend against CSRF attacks
by attaching a X-XSRF-Cookie header to XMLHttpRequets
that contains a cookie value. The cookie value is not actually
required to prevent CSRF attacks: the mere presence
of the header is sufficient.

kmerz
kmerz approved these changes Aug 10, 2018
@bernd bernd self-assigned this Aug 10, 2018
@bernd
Copy link
Member

@bernd bernd commented Aug 10, 2018

I will test this today.

bernd
bernd approved these changes Aug 10, 2018
Copy link
Member

@bernd bernd left a comment

LGTM, thank you! 👍

@bernd bernd merged commit 740146f into master Aug 10, 2018
5 checks passed
@bernd bernd deleted the csrf-prevention branch Aug 10, 2018
edmundoa added a commit that referenced this issue Aug 15, 2018
Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
bernd added a commit that referenced this issue Aug 17, 2018
* Add custom request header to prevent CSRF (#4987)

Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

* Include CSRF HTTP header in upgrading document
mpfz0r added a commit that referenced this issue Oct 9, 2018
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987
bernd added a commit that referenced this issue Oct 10, 2018
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987
mpfz0r added a commit that referenced this issue Dec 7, 2018
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987
bernd added a commit that referenced this issue Dec 10, 2018
...who don't have the "X-Requested-By" header yet.
Simply accepting "X-Graylog-Collector-Version" serves the same purpose.

Relates to #4987
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants