Project

General

Profile

module to aid in CSRF protection

Added by Jin over 8 years ago

Hi,

I'm currently working on a module that should assist in protecting oneself against CSRF attacks. The module implements a "Cookie-To-Header" protection method as described here:

https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token

I know that there are opinions that say that such functionality belongs into the application and not in the web server. However, there are cases where such a module would be very helpful. In my case there are different applications and cgi scripts that are unified by lighttpd's mod_proxy. Implementing a token system would require that all of these separate and independent applications share data and information between each other, which would be a significant effort to implement. Having this functionality available in a lighttpd modules does help a lot here.

I'd like to know if there is a general interest in something like this and if such a submission could theoretically make it upstream?

If yes, I will prepare a patch and post some details and explanations to start a review process, if not, well - then I won't :)

Kind regards,
Jin


    (1-1/1)