Documentation Center

Securing Tridion Sites web interfaces against CSRF

Several of the web-based user interfaces in Tridion Sites communicate with a server-side UI framework, including the Content Manager Explorer and Experience Manager. To guard these UIs against cross-site request forgery (CSRF), configure anti-CSRF security on the Content Manager server.

About this task

Tridion Sites includes the following two modules to provide security against CSFR:
  • AntiCsrfBasicModule for basic anti-CSRF security
  • AntiCsrfModule for general (more stringent) anti-CSRF security
These modules apply to the following UIs:
  • Content Manager Explorer
  • Experience Manager
  • Other UIs that communicate with the server-side UI framework

Note that these modules do not apply to the Experience Space user interface, introduced in release 9.5.

Procedure

  1. On your Content Manager server, navigate to %TRIDION_HOME% and then to the subfolder web\WebUI\WebRoot\.
  2. In this location, Open the file Web.config for editing.
  3. Find the section Configuration/system.webServer/modules/ and do one of the following:
    • To apply basic anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfBasicModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule"/>
    • To apply general (more stringent) anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule" />
  4. Save and close Web.config.
  5. Navigate to the Configuration\ subfolder and in this location, open System.config for editing.
  6. If you selected to apply general anti-CSRF security, you can also do one ore more of the following in the Configuration/servicemodel/client/csrf element:
    • Set an expiration duration (tokenmaxage attribute) for tokens used in authentication. If the duration period expires, the client must respond correctly to a newly generated cookie from the server. The duration in this attribute is expressed in the XSD duration data type format; that is, a string of the form PnYnMnDTnHnMnS where:
      StringUsage
      PIndicates a period (required)
      nYIndicates the number of years
      nMIndicates the number of months
      nDIndicates the number of days
      TIndicates the start of a time section (required if you are going to specify hours, minutes, or seconds)
      nHIndicates the number of hours
      nMIndicates the number of minutes
      nSIndicates the number of seconds
    • Change the name of the cookie used in authentication (tokencookiename attribute) . The name defaults to the value X-SDL-Tridion-Token, but can be set to any value.
    • Change the name of the HTTP header used in authentication (tokenheadername attribute). The name defaults to the value X-SDL-Tridion-Token, but can be set to any valid value for a custom HTTP header (that is, a header starting with X-).
  7. Save and close System.config.
  8. Restart your website.