2

I am aware that it is best to keep my web application patched and protected against those kind of attacks, but in my case this is more experimental thing.

Is there anything useful, like module that can be used for apache (2.4.7) in order to "protect" against CSRF attacks?

user134969
  • 1,328
  • 4
  • 16
  • 24

2 Answers2

5

The general way is appending CSRF protection tokens to the input and comparing them on each request, Apache in its configuration is not capable of storing session data about users, so it wont be able to evaluate the authority of requests. Thus, Apache modules for CSRF protection don't exist. This is the job of your web application.

Edit: there are some scratches online like this, called mod_csrf, but it's not really an apache mod in its traditional meaning. (You have to copy files to the webroot)

Rápli András
  • 2,144
  • 1
  • 11
  • 24
  • You do not need session data to implement CSRF protection. Each form/post needs to have a hidden id field or id header and each such request needs a HTTP-ONLY cookie with the same id value. The server (Apache) should check that form-field/header value matches the value in the cookie. – mvermand Sep 26 '17 at 13:46
1

Your CSRF protection will come from the application itself -eg CSRF guard in PHP, the anti csrf tokens in .net.

Each of your forms needs a token which is validated by the server on submission so as far as I understand there isn't a plug in module for the Web server that can do this, though you could as part of defence in depth consider looking at the requested by header

This post has more info CSRF protection with custom headers (and without validating token)

iainpb
  • 4,162
  • 2
  • 17
  • 35