mod_csrf – protection measurements against cross-site request forgery (CSRF) attacks

The mod_csrf project implements protection measurements against cross-site request forgery (CSRF) attacks. The project provides two components:

  • A JavaScript which injects a unique request (per user/per session) id to HTTP request. The request id is added to evey HTML form, hyperlink (“a” tag by default/list of attributes may be extended), as well as Ajax request.
  • An Apache module which may be used to verify that HTTP requests do contain this unique id injected by the JavaScript.

Module Directives :

CSRF_Enable ‘on’|’off’
– Enables or disables the module on a per server or location basis. Default is ‘on’.
CSRF_EnableReferer ‘on’|’off’
– mod_csrf may deny requests whose HTTP Host and Referer header do not contain the very same hostname. This referer header check is enabled by default.
CSRF_Action ‘deny’|’log’
– Defines the action to take when a request does violates the configured rules. Default is ‘deny’.
– Used for to encrypt the mod_csrf request id. Default is a non-persistent random passphrase.
– The validity period of the csrf request id injected by the JavaScript. Default is 3600 seconds.
CSRF_ScriptPath  – URL path to the JavaScript to include to each HTML which is then used to inject the mod_csrf request id.    Default path is ‘/csrf.js’.

Download : mod_csrf-0.0.tar.gz (32.0 kB)
Find Other Version |
Read more in here :