Configure a Protection Filter Against CSRF
A Cross Site Request Forgery (CSRF) attack attempts to force a user to execute functionality without their knowledge. Typically the attack is initiated by presenting the user with a link or image that when clicked invokes a request to another site with which the user already has an established an active session. CSRF is typically a browser based attack.
Open the cluster topology descriptor file,
$cluster-name .xml, in a text editor.
WebAppSecwebappsec provider to
topology/gatewaywith a parameter for each service as follows:
<provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param> <name>csrf.enabled</name> <value>$csrf_enabled</value> </param> <param><!-- Optional --> <name>csrf.customHeader</name> <value>$header_name</value> </param> <param><!-- Optional --> <name>csrf.methodsToIgnore</name> <value>$HTTP_methods</value> </param> </provider>
$csrf_enabledis either true or false.
$header_namewhen the optional parameter csrf.customHeader is present the value contains the name of the header that determines if the request is from a trusted source. The default, X-XSRF-Header, is described by the NSA in its guidelines for dealing with CSRF in REST.
$http_methodswhen the optional parameter
csrf.methodsToIgnoreis present the value enumerates the HTTP methods to allow without the custom HTTP header. The possible values are GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, or PATCH. For example, specifying GET allows GET requests from the address bar of a browser.
Save the file.
The gateway creates a new WAR file with modified timestamp in $gateway /data/deployments.
Validate CSRF Filtering
curl -k -i --header "X-XSRF-Header: valid" -v -u guest:guest-password https://localhost:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS
The above LISTSTATUS request only works if you remove the GET method from the csrf.methodsToIgnore list.
Omitting the –header “X-XSRF-Header: valid” above results in an HTTP 400 bad_request. Disabling the provider, by setting csrf.enabled to false allows a request that is missing the header.