Securing SDL Tridion Sites-based interfaces against CSRF
To guard Content Manager Explorer, Experience Manager, or any other interface that communicates with the server-side UI framework, against cross-site request forgery (CSRF), configure basic or general anti-CSRF security on the Content Manager server.
Procedure
- On your Content Manager server, navigate to
%TRIDION_HOME%and then to the subfolder web\WebUI\WebRoot\. - In this location, Open the file Web.config for editing.
- Find the section
Configuration/system.webServer/modules/and do one of the following:To apply basic anti-CSRF security, ensure the presence of the following element:
<add type="Tridion.Web.UI.Core.Http.AntiCsrfBasicModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule"/>To apply general (more stringent) anti-CSRF security, ensure the presence of the following element:
<add type="Tridion.Web.UI.Core.Http.AntiCsrfModule, Tridion.Web.UI.Core" name="CME-Core-CsrfModule" />
- Save and close Web.config.
- Navigate to the Configuration\ subfolder and in this location, open System.config for editing.
- If you selected to apply general anti-CSRF security, you can also do one ore more of the following in the
Configuration/servicemodel/client/csrfelement:- Set an expiration duration (
tokenmaxageattribute) for tokens used in authentication. If the duration period expires, the client must respond correctly to a newly generated cookie from the server. The duration in this attribute is expressed in the XSD duration data type format; that is, a string of the formPnYnMnDTnHnMnSwhere:Pindicates the period (required)nYindicates the number of yearsnMindicates the number of monthsnDindicates the number of daysTindicates the start of a time section (required if you are going to specify hours, minutes, or seconds)nHindicates the number of hoursnMindicates the number of minutesnSindicates the number of seconds
- Change the name of the cookie used in authentication (
tokencookienameattribute) . The name defaults to the valueX-SDL-Tridion-Token, but can be set to any value. - Change the name of the HTTP header used in authentication (
tokenheadernameattribute). The name defaults to the valueX-SDL-Tridion-Token, but can be set to any valid value for a custom HTTP header (that is, a header starting withX-).
If you change use
tokencookiename,tokenheadernameor both, and if you use the deprecated SDL Tridion Sites Monitoring feature to monitor the user interfaces, then configure the custom cookie name and header name in your Monitoring configuration as well. - Set an expiration duration (
- Save and close System.config.
- Restart your Web site.