Securing SDL Tridion Sites-based interfaces against CSRF

To guard Content Manager Explorer, Experience Manager, or any other interface that communicates with the server-side UI framework, against cross-site request forgery (CSRF), configure basic or general anti-CSRF security on the Content Manager server.

Procedure

  1. On your Content Manager server, navigate to %TRIDION_HOME% and then to the subfolder web\WebUI\WebRoot\.
  2. In this location, Open the file Web.config for editing.
  3. Find the section Configuration/system.webServer/modules/ and do one of the following:
    • To apply basic anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfBasicModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule"/>
    • To apply general (more stringent) anti-CSRF security, ensure the presence of the following element:

      <add type="Tridion.Web.UI.Core.Http.AntiCsrfModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule" />
  4. Save and close Web.config.
  5. Navigate to the Configuration\ subfolder and in this location, open System.config for editing.
  6. If you selected to apply general anti-CSRF security, you can also do one ore more of the following in the Configuration/servicemodel/client/csrf element:
    • Set an expiration duration (tokenmaxage attribute) for tokens used in authentication. If the duration period expires, the client must respond correctly to a newly generated cookie from the server. The duration in this attribute is expressed in the XSD duration data type format; that is, a string of the form PnYnMnDTnHnMnS where:
      • P indicates the period (required)
      • nY indicates the number of years
      • nM indicates the number of months
      • nD indicates the number of days
      • T indicates the start of a time section (required if you are going to specify hours, minutes, or seconds)
      • nH indicates the number of hours
      • nM indicates the number of minutes
      • nS indicates the number of seconds
    • Change the name of the cookie used in authentication (tokencookiename attribute) . The name defaults to the value X-SDL-Tridion-Token, but can be set to any value.
    • Change the name of the HTTP header used in authentication (tokenheadername attribute). The name defaults to the value X-SDL-Tridion-Token, but can be set to any valid value for a custom HTTP header (that is, a header starting with X-).

    If you change use tokencookiename, tokenheadername or both, and if you use the deprecated SDL Tridion Sites Monitoring feature to monitor the user interfaces, then configure the custom cookie name and header name in your Monitoring configuration as well.

  7. Save and close System.config.
  8. Restart your Web site.