Documentation Center

Securing Tridion web interfaces against CSRF

Several of the web-based user interfaces in SDL Tridion Sites communicate with a server-side UI framework, including the Content Manager Explorer and Experience Manager. To guard these UIs against cross-site request forgery (CSRF), configure anti-CSRF security on the Content Manager server.

About this task

SDL Tridion Sites includes the following two modules to provide security against CSFR:
  • AntiCsrfBasicModule for basic anti-CSRF security
  • AntiCsrfModule for general (more stringent) anti-CSRF security
These modules apply to the following UIs:
  • Content Manager Explorer (also called the "Tridion Classic" interface)
  • Experience Manager
  • Other UIs that communicate with the server-side UI framework

Note that these modules do not apply to the Experience Space user interface, introduced in release 9.5.

Procedure

  1. On your Content Manager server, navigate to %TRIDION_HOME% and then to the subfolder web\WebUI\WebRoot\.
  2. In this location, Open the file Web.config for editing.
  3. Find the section Configuration/system.webServer/modules/ and do one of the following:
    • To apply basic anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfBasicModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule"/>
    • To apply general (more stringent) anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule" />
  4. Save and close Web.config.
  5. Navigate to the Configuration\ subfolder and in this location, open System.config for editing.
  6. If you selected to apply general anti-CSRF security, you can also do one ore more of the following in the Configuration/servicemodel/client/csrf element:
    • Set an expiration duration (tokenmaxage attribute) for tokens used in authentication. If the duration period expires, the client must respond correctly to a newly generated cookie from the server. The duration in this attribute is expressed in the XSD duration data type format; that is, a string of the form PnYnMnDTnHnMnS where:
      StringUsage
      PIndicates a period (required)
      nYIndicates the number of years
      nMIndicates the number of months
      nDIndicates the number of days
      TIndicates the start of a time section (required if you are going to specify hours, minutes, or seconds)
      nHIndicates the number of hours
      nMIndicates the number of minutes
      nSIndicates the number of seconds
    • Change the name of the cookie used in authentication (tokencookiename attribute) . The name defaults to the value X-SDL-Tridion-Token, but can be set to any value.
    • Change the name of the HTTP header used in authentication (tokenheadername attribute). The name defaults to the value X-SDL-Tridion-Token, but can be set to any valid value for a custom HTTP header (that is, a header starting with X-).

    If you change use tokencookiename, tokenheadername or both, and if you use the deprecated SDL Tridion Sites Monitoring feature to monitor the user interfaces, then configure the custom cookie name and header name in your Monitoring configuration as well.

  7. Save and close System.config.
  8. Restart your website.