Documentation Center

Securing SDL Tridion-based interfaces against CSRF

To guard Content Manager Explorer, Experience Manager, or any other interface that communicates with the server-side UI framework, against cross-site request forgery (CSRF), configure basic or general anti-CSRF security on the Content Manager server.

Procedure

  1. On your Content Manager server, navigate to %TRIDION_HOME% (defaults to C:\Program Files (x86)\Tridion\) and then to the subfolder web\WebUI\WebRoot\.
  2. In this location, Open the file Web.config for editing.
  3. Find the section Configuration/system.web/httpModules/ and do one of the following:
    • To apply basic anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfBasicModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule"/>
    • To apply general (more stringent) anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule" />
  4. Do the same in the section Configuration/system.webServer/modules/.
  5. Save and close Web.config.
  6. Navigate to the Configuration\ subfolder and in this location, open System.config for editing.
  7. If you selected to apply general anti-CSRF security, you can also do one ore more of the following in the Configuration/servicemodel/client/csrf element:
    • Set an expiration duration (tokenmaxage attribute) for tokens used in authentication. If the duration period expires, the client must respond correctly to a newly generated cookie from the server.
    • Change the name of the cookie used in authentication (tokencookiename attribute) . The name defaults to the value X-SDL-Tridion-Token, but can be set to any value.
    • Change the name of the HTTP header used in authentication (tokenheadername attribute). The name defaults to the value X-SDL-Tridion-Token, but can be set to any valid value for a custom HTTP header (that is, a header starting with X-).

    If you change use tokencookiename, tokenheadername or both, and if you use SDL Tridion Monitoring to monitor the user interfaces, then configure the custom cookie name and header name in your Monitoring configuration as well.

  8. Save and close System.config.
  9. Restart your Web site.