Configuring CSRF protection

The CSRF stands for Cross-Site Request Forgery. It is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

The Y Soft SafeQ has ability to guard against this type of attack. The protection is implemented via per session tokens added to each link, form or sent request and its server side verification. The protection is applied to Administration web application as well as to Mobile Print web, VIP Shared Queues application and YSQ Client web views.

Enabling or disabling the protection

In some cases there could be a problems with protection systems, for example when some unsupported browsers are used or web application is accessed through particular types of loadbalancers.

Change property org.owasp.csrfguard.Enabled to true in SAFEQ_DIRECTORY/tomcat/cmlweb/WEB-INF/csrf/csrf-guard.properties file to enable the protection. All the other properties can be changed only by CSS technicians and should not be handled manually as not all setup configuration are tested and supported by YSoft SafeQ web applications.

SAFEQ_DIRECTORY/tomcat/cmlweb/WEB-INF/csrf/csrf-guard.properties
org.owasp.csrfguard.Enabled = true

The protection must be enabled on every CML node and in case when YSoft SafeQ Client, Mobile Print or WebDAV Scanning is used on ORS servers than also on every ORS server.

Strengthening the security by checking the request referer value

Allows to specify a regular expression describing the required value of the Referer header. Any attempts to access the token serving service with a Referer header that does not match the captured expression is discarded. Inclusion of referer header checking is to help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from the dynamically generated JavaScript. While the primary defenses against JavaScript Hijacking attacks are implemented within the dynamic JavaScript itself, referer header checking is implemented to achieve defense in depth.

Find the referer-pattern section in SAFEQ_DIRECTORY/tomcat/cmlweb/WEB-INF/web.xml file, remove comment around it and set the value to expected referer value. Simple wildcards with asterisk symbol can be used.

SAFEQ_DIRECTORY/tomcat/cmlweb/WEB-INF/web.xml
<init-param>
<param-name>referer-pattern</param-name>
<param-value>.*localhost.*</param-value>
</init-param>