For added security agains CSRF type attacks, the dotCMS CSRF filter plugin can be deployed as a strong preventative measure against “Cross-site Request Forgery”.
The plugin forces validation of the browser header “referrer” and validates the referring host against the list of hosts being served in dotCMS. A configuration property can be used to add additional hosts to the list or additional aliases can be added to each host while using the dotCMS backend site editing tools.
This Filter will only run via OSGi in dotCMS running under the Tomcat servlet container. If you are running dotCMS in another app server, you will need to copy the logic of this plugin and provide it as a “static” plugin.
It is provided as an OSGI plugin and can be configured and dropped on a running dotCMS 3.0+ server and initialize itself.
CRSF Filter Plugin Configuration Properties
Out of the box, there are 4 properties that can be adjusted by editing the
src/main/resources/plugin.properties file. CSRF needs the referrer in order to function properly. A server header policy or SSL must be enabled.
## Apply protection to these Uri's (begins with) <b>csrf.protect.uri</b> = /c/portal, /api, /dotCMS, /html/, /html/ng, /dwr, /servlet, /DotAjaxDirector, /dotScheduledJobs, /dotTailLogServlet, /categoriesServlet, /JSONTags ## These are valid referring hosts (in addition to the hosts and aliases set in dotCMS) <b>csrf.valid.host.referers</b> = testing.dotcms.com, localhost, 127.0.0.1 ## Always allow these domains to pass - even without passing a referer <b>csrf.whitelist.host</b> = testing.dotcms.com, testing2.dotcms.com ## Always allow these urls to pass <b>csrf.whitelist.uri</b> = /html/portal/login.jsp
Downloading, Building, and Deploying the CRSF Filter Plugin
Building this plugin will provide two jars, both of which need to be installed in dotCMS. Note: The fragment jar provides the exports needed to run the plugin without modifying your exports manually.
git clone https://github.com/dotCMS/com.dotcms.csrffilter.git cd com.dotcms.csrffilter ./gradlew clean jar
/build/libs/ directory you should now see the following jars:
To deploy, upload and deploy both of these plugins using the dotCMS backend Plugins tool. The plugin can be deployed or undeployed without stopping the dotCMS server.