Activating Cross-Site Request Forgery (CSRF) filtering
You can activate the CWCSRFPreventionFilter filter to mitigate vulnerability to CSRF attacks in Contenta Web.
A CSRF attack can force an end-user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker cannot see the response to the forged request. With a simple action (such as sending a link via email or chat), an attacker may trick the user of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing an email address, and so forth. If the victim is an administrative user, a CSRF attack can compromise the entire web application.
| Parameter | Description |
|---|---|
debugLevel | Default 0. Setting this parameter to a numerical value between 1 and 15 determines the level of debug messages written to the standard Tomcat output file. The environment variable XYV_CWCSRFFILTER_DEBUG overrides this value. If this environment variable is set, debug messages for the filter initialization process are written with the rest of the filter debug messages. |
nonceViaJS | Default ON. This value allows the filter to insert a JavaScript snippet to manage the CSRF token for HTML forms. This behavior is applicable only for the URLs specified for the blackList parameter. Setting the value OFF turns off this behavior of the filter. |
protectedContents | Value can be a Java regular expression. Any URL with an extension specified in the regular expression are ignored for CSRF token addition or verification. The web.xml file delivered by Contenta contains the following default regular expression.
|
blackList | A comma-delimited list of URL context paths can be specified, as in the following example.
For CSRF filtering to work properly, you must add each URL you want to protect to the For example, to protect ValidateRefs.jsp, add /custom/S1000D_Validate_Refs/ValidateRefs.jsp to the |
nonceCacheSize | Default 500. If the blacklist section of a web.xml file contains many URLs, you may want to increase the value of this parameter. The value assigned to nonceCacheSize must be the same for all web.xml files. |