New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom request header to prevent CSRF #4998

Merged
merged 2 commits into from Aug 17, 2018

Conversation

Projects
None yet
2 participants
@edmundoa
Member

edmundoa commented Aug 15, 2018

Cherry-picked from #4987

Improve our protection against CSRF by requiring a custom request header (X-Requested-By) in all non-GET requests sent to our API. This is mentioned as a way of CSRF prevention [1] and it is particularly suitable for REST APIs, since let requests to remain stateless.

The PR also takes care of updating UPGRADING.rst to include this change.

The old sidecar code also needs to be adapted for 2.5, with a similar change of what @mariussturm did here: Graylog2/collector-sidecar#272

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

edmundoa added some commits Aug 10, 2018

Add custom request header to prevent CSRF (#4987)
Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

@edmundoa edmundoa added this to the 2.5.0 milestone Aug 15, 2018

@bernd

bernd approved these changes Aug 17, 2018

LGTM! Thank you! 👍

@bernd bernd self-assigned this Aug 17, 2018

@bernd bernd merged commit 6902df0 into 2.5 Aug 17, 2018

4 of 5 checks passed

ci-web-linter Jenkins build graylog-pr-linter-check 2673 has failed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
graylog-project/pr Jenkins build graylog-project-pr-snapshot 1714 has succeeded
Details
license/cla Contributor License Agreement is signed.
Details

@bernd bernd deleted the csrf-protection-25 branch Aug 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment