Documentation Center

Activating Cross-Site Request Forgery (CSRF) filtering

You can activate the CWCSRFPreventionFilter filter to mitigate vulnerability to CSRF attacks in Contenta Web.

A CSRF attack can force an end-user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker cannot see the response to the forged request. With a simple action (such as sending a link via email or chat), an attacker may trick the user of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing an email address, and so forth. If the victim is an administrative user, a CSRF attack can compromise the entire web application.

By default, this filter is turned off (commented) in every web.xml file. To activate this filter, un-comment the filter configuration in every web.xml file. The following filter initialization parameters can be used to control the behavior of this filter.
ParameterDescription
debugLevelDefault 0. Setting this parameter to a numerical value between 1 and 15 determines the level of debug messages written to the standard Tomcat output file. The environment variable XYV_CWCSRFFILTER_DEBUG overrides this value. If this environment variable is set, debug messages for the filter initialization process are written with the rest of the filter debug messages.
nonceViaJSDefault ON. This value allows the filter to insert a JavaScript snippet to manage the CSRF token for HTML forms. This behavior is applicable only for the URLs specified for the blackList parameter. Setting the value OFF turns off this behavior of the filter.
protectedContentsValue can be a Java regular expression. Any URL with an extension specified in the regular expression are ignored for CSRF token addition or verification. The web.xml file delivered by Contenta contains the following default regular expression.

regex (.js$)|(.css)|(.jar)|(.html)|(.gif)|(.png)|(.ico)|(.jpg)|(.zip)|(.log)|(.pdf)

blackListA comma-delimited list of URL context paths can be specified, as in the following example.

/standard/code/CWError.jsp,/standard/code/CWErrorOnLoad.jsp

For CSRF filtering to work properly, you must add each URL you want to protect to the blacklist section of the web.xml file that corresponds to the location of the JSP file and to the Contenta_home\web\cw\WEB-INF\web.xml file.

For example, to protect ValidateRefs.jsp, add /custom/S1000D_Validate_Refs/ValidateRefs.jsp to the blacklist section of the Contenta_home\web\cw_common\WEB-INF\web.xml file because ValidateRefs.jsp is located in the cw_common folder. You must also add this JSP to the blacklist section of the Contenta_home\web\cw\WEB-INF\web.xml.

nonceCacheSizeDefault 500. If the blacklist section of a web.xml file contains many URLs, you may want to increase the value of this parameter. The value assigned to nonceCacheSize must be the same for all web.xml files.