Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add custom request header to prevent CSRF #4998

Merged
merged 2 commits into from Aug 17, 2018
Merged

Add custom request header to prevent CSRF #4998

merged 2 commits into from Aug 17, 2018

Conversation

edmundoa
Copy link
Contributor

Cherry-picked from #4987

Improve our protection against CSRF by requiring a custom request header (X-Requested-By) in all non-GET requests sent to our API. This is mentioned as a way of CSRF prevention [1] and it is particularly suitable for REST APIs, since let requests to remain stateless.

The PR also takes care of updating UPGRADING.rst to include this change.

The old sidecar code also needs to be adapted for 2.5, with a similar change of what @mariussturm did here: Graylog2/collector-sidecar#272

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

edmundoa and others added 2 commits August 15, 2018 17:17
@edmundoa
Add custom request header to prevent CSRF (#4987)
6702936 
Improve our protection against CSRF by requiring a custom request header
(`X-Requested-By`) in all non-GET requests sent to our API. This is
mentioned as a way of CSRF prevention [1] and it is particularly suitable
for REST APIs, since let requests to remain stateless.

1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
Include CSRF HTTP header in upgrading document
370dd70
@edmundoa edmundoa added this to the 2.5.0 milestone Aug 15, 2018
@mariussturm mariussturm mentioned this pull request Aug 16, 2018
Merged
bernd
bernd approved these changes Aug 17, 2018
View reviewed changes
Copy link
Member

@bernd bernd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you! 👍

@bernd bernd self-assigned this Aug 17, 2018
@bernd bernd merged commit 6902df0 into 2.5 Aug 17, 2018
@bernd bernd deleted the csrf-protection-25 branch August 17, 2018 07:01
@dennisoelkers dennisoelkers mentioned this pull request Sep 10, 2018
Closed
@suzuki-shunsuke suzuki-shunsuke mentioned this pull request Dec 2, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bernd bernd bernd approved these changes

Assignees

@bernd bernd

Labels
ready-for-review
Projects
None yet
Milestone
2.5.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@edmundoa @bernd