[Solved] Current version support csrf defense?
Added by chun83044 about 1 year ago
Hi,
I use ver.:1.4.59, I want to check if updated to current version
and no use patches (mod_csrf at https://github.com/lighttpd/lighttpd1.4/pull/13).
Does the official lighttpd alreadly suppot csrf defense?
Because in our security test tool should includ: ("X-Csrf-Token", "X-CSRFToken", "X-XSRF-TOKEN")
I think this part requires back-end support, not only front-end modifications.
Thanks.
Replies (3)
RE: Current version support csrf defense? - Added by gstrauss about 1 year ago
Does the official lighttpd alreadly suppot csrf defense?
Is there any additional information on https://github.com/lighttpd/lighttpd1.4/pull/13 that might indicate subsequent progress?
Because in our security test tool should includ: ("X-Csrf-Token", "X-CSRFToken", "X-XSRF-TOKEN")
I think this part requires back-end support, not only front-end modifications.
Then you should use a specific backend application framework that handles creation and validation of CSRF tokens for your specific application, including application-specific timeouts and page refreshes.
RE: Current version support csrf defense? - Added by chun83044 about 1 year ago
Is there any additional information on https://github.com/lighttpd/lighttpd1.4/pull/13 that might indicate subsequent progress?
The final response is from you:
- 4 May 2021, getting the current lighttpd release into a distro can take anywhere from a few weeks to more than two years, and is not under the control of lighttpd developers
- 21 Feb 2021, I have completely reimplemented mod_csrf for my current development branch of lighttpd.
https://github.com/gstrauss/lighttpd1.4/tree/mod_csrf
So if i want to support csrf defense, maybe start with the branch above?
The official lighttpd is not yet supported.
Then you should use a specific backend application framework that handles creation and validation of CSRF tokens for your specific application, including application-specific timeouts and page refreshes.
It's clear. Thanks for your information.
RE: [Solved] Current version support csrf defense? - Added by gstrauss about 1 year ago
As you did not find any documentation for mod_csrf on the official lighttpd website and you did not see any updates to https://github.com/lighttpd/lighttpd1.4/pull/13, there should have been no reason to ask the question: "Does the official lighttpd alreadly suppot csrf defense?" The answer should have been obvious.
https://github.com/lighttpd/lighttpd1.4/pull/13 made it clear what the next steps are, and that required feedback has been non-existent.