CSRF Filter Plugin - Documentation topics on: csrf filter,security,.

This documentation is a static copy for this version. For current documentation, see: http://dotcms.com/docs/latest

CSRF Filter Plugin

For added security agains CSRF type attacks, the dotCMS CSRF filter plugin can be deployed as a strong preventative measure against “Cross-site Request Forgery”.

The plugin forces validation of the browser header “referrer” and validates the referring host against the list of hosts being served in dotCMS. A configuration property can be used to add additional hosts to the list or additional aliases can be added to each host while using the dotCMS backend site editing tools.

This Filter will only run via OSGi in dotCMS running under the Tomcat servlet container. If you are running dotCMS in another app server, you will need to copy the logic of this plugin and provide it as a “static” plugin.

It is provided as an OSGI plugin and can be configured and dropped on a running dotCMS 3.0+ server and initialize itself.

CRSF Filter Plugin Configuration Properties

Out of the box, there are 4 properties that can be adjusted by editing the src/main/resources/plugin.properties file. CSRF needs the referrer in order to function properly. A server header policy or SSL must be enabled.

## Apply protection to these Uri's (begins with)  
<b>csrf.protect.uri</b> = /c/portal, /api, /dotCMS, /html/, /html/ng, /dwr, /servlet, /DotAjaxDirector, /dotScheduledJobs, /dotTailLogServlet, /categoriesServlet, /JSONTags

## These are valid referring hosts (in addition to the hosts and aliases set in dotCMS)  
<b>csrf.valid.host.referers</b> = testing.dotcms.com, localhost, 127.0.0.1

## Always allow these domains to pass - even without passing a referer  
<b>csrf.whitelist.host</b> = testing.dotcms.com, testing2.dotcms.com

## Always allow these urls to pass  
<b>csrf.whitelist.uri</b> = /html/portal/login.jsp  

Downloading, Building, and Deploying the CRSF Filter Plugin

Building this plugin will provide two jars, both of which need to be installed in dotCMS. Note: The fragment jar provides the exports needed to run the plugin without modifying your exports manually.

  git clone https://github.com/dotCMS/com.dotcms.csrffilter.git
cd com.dotcms.csrffilter
./gradlew clean jar  

In the /build/libs/ directory you should now see the following jars:

  com.dotcms.csrffilter-0.1.jar
csrf-exports-fragment.jar

To deploy, upload and deploy both of these plugins using the dotCMS backend Plugins tool. The plugin can be deployed or undeployed without stopping the dotCMS server.