-
Notifications
You must be signed in to change notification settings - Fork 89
Configuration examples
minhaz edited this page Aug 16, 2014
·
4 revisions
CSRF Protector's behavior is controlled by the configuration maintained in config.php. Here are few examples of how different configurations can help you achieve your requirement:
Wordpress has its inbuilt CSRF protection method using nonce, however many plugin developers forget to integrate it leaving a loophole in the system. OWASP CSRF Protector solves this by automatically attaching nonce with every request and validating it at backend. Place the library csrfp in wp-admin directory and use following configuration:
return array(
"CSRFP_TOKEN" => "wp_csrfp_token",
"logDirectory" => "../log",
"failedAuthAction" => array(
"GET" => 0,
"POST" => 0),
"errorRedirectionPage" => "",
"customErrorMessage" => "",
"jsPath" => "../js/csrfprotector.js",
"jsUrl" => "http://<YOUR_WORDPRESS_DIRECTORY>/wp-admin/csrfp/js/csrfprotector.js",
"tokenLength" => 10,
"disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
See details of your web browser for how to enable JavaScript.",
"verifyGetFor" => array()
);Note: you might have to recheck the permissions of the log directory as CSRFP tend to write logs by creating a separate log file for each month. The library will throw exception if it's unable to write to logs.
Note: will be added soon!
PS: wiki still under development. Please create a Github issue for any correction.