Project

General

Profile

[Solved] Current version support csrf defense?

Added by chun83044 11 days ago

Hi,

I use ver.:1.4.59, I want to check if updated to current version

and no use patches (mod_csrf at https://github.com/lighttpd/lighttpd1.4/pull/13).

Does the official lighttpd alreadly suppot csrf defense?

Because in our security test tool should includ: ("X-Csrf-Token", "X-CSRFToken", "X-XSRF-TOKEN")

I think this part requires back-end support, not only front-end modifications.

Thanks.


Replies (3)

RE: Current version support csrf defense? - Added by gstrauss 11 days ago

Does the official lighttpd alreadly suppot csrf defense?

Is there any additional information on https://github.com/lighttpd/lighttpd1.4/pull/13 that might indicate subsequent progress?

Because in our security test tool should includ: ("X-Csrf-Token", "X-CSRFToken", "X-XSRF-TOKEN")

I think this part requires back-end support, not only front-end modifications.

Then you should use a specific backend application framework that handles creation and validation of CSRF tokens for your specific application, including application-specific timeouts and page refreshes.

RE: Current version support csrf defense? - Added by chun83044 11 days ago

Is there any additional information on https://github.com/lighttpd/lighttpd1.4/pull/13 that might indicate subsequent progress?

The final response is from you:

  • 4 May 2021, getting the current lighttpd release into a distro can take anywhere from a few weeks to more than two years, and is not under the control of lighttpd developers
  • 21 Feb 2021, I have completely reimplemented mod_csrf for my current development branch of lighttpd.
    https://github.com/gstrauss/lighttpd1.4/tree/mod_csrf

So if i want to support csrf defense, maybe start with the branch above?
The official lighttpd is not yet supported.

Then you should use a specific backend application framework that handles creation and validation of CSRF tokens for your specific application, including application-specific timeouts and page refreshes.

It's clear. Thanks for your information.

RE: [Solved] Current version support csrf defense? - Added by gstrauss 10 days ago

As you did not find any documentation for mod_csrf on the official lighttpd website and you did not see any updates to https://github.com/lighttpd/lighttpd1.4/pull/13, there should have been no reason to ask the question: "Does the official lighttpd alreadly suppot csrf defense?" The answer should have been obvious.

https://github.com/lighttpd/lighttpd1.4/pull/13 made it clear what the next steps are, and that required feedback has been non-existent.

    (1-3/3)