CSRF vulnerabilities
Added by danzimal over 7 years ago
Hi;
As I understand that one defensive measure against CSRF is to validate the 'origin' and 'referer' request headers.
We are using lighttpd 1.4.26 (with a few recommended patches) but I noticed that the 'origin' header does seem to be supported in the server.
I appears that 'referer' was added back in 1.3.0.
Any advise were to go from here?
Thanks!
Replies (1)
RE: CSRF vulnerabilities - Added by gstrauss over 7 years ago
Your request is very vague. Please be more descriptive in your communication.
Current versions of lighttpd do not preclude use of Origin header, just as they do not preclude use of "referer".
If you mean that you want to validate Origin in lighttpd.conf, then please follow the (not yet implemented) config extensions feature request: #1556
If you want to do custom validation using Origin and/or Referer, you can (today) use mod_magnet. Some sample lua code: Absoluation
There are some user-submitted patches for mod_csrf at https://github.com/lighttpd/lighttpd1.4/pull/13 YMMV