Lighttpd

Does the official lighttpd alreadly suppot csrf defense?

Is there any additional information on https://github.com/lighttpd/lighttpd1.4/pull/13 that might indicate subsequent progress?

Because in our security test tool should includ: ("X-Csrf-Token", "X-CSRFToken", "X-XSRF-TOKEN")

I think this part requires back-end support, not only front-end modifications.

Then you should use a specific backend application framework that handles creation and validation of CSRF tokens for your specific application, including application-specific timeouts and page refreshes.

Is there any additional information on https://github.com/lighttpd/lighttpd1.4/pull/13 that might indicate subsequent progress?

The final response is from you:

• 4 May 2021, getting the current lighttpd release into a distro can take anywhere from a few weeks to more than two years, and is not under the control of lighttpd developers
• 21 Feb 2021, I have completely reimplemented mod_csrf for my current development branch of lighttpd.
  https://github.com/gstrauss/lighttpd1.4/tree/mod_csrf

So if i want to support csrf defense, maybe start with the branch above?
The official lighttpd is not yet supported.

Then you should use a specific backend application framework that handles creation and validation of CSRF tokens for your specific application, including application-specific timeouts and page refreshes.

It's clear. Thanks for your information.

As you did not find any documentation for mod_csrf on the official lighttpd website and you did not see any updates to https://github.com/lighttpd/lighttpd1.4/pull/13, there should have been no reason to ask the question: "Does the official lighttpd alreadly suppot csrf defense?" The answer should have been obvious.

https://github.com/lighttpd/lighttpd1.4/pull/13 made it clear what the next steps are, and that required feedback has been non-existent.