summaryrefslogtreecommitdiff
path: root/doc/config/conf.d/csrf.conf
diff options
context:
space:
mode:
Diffstat (limited to 'doc/config/conf.d/csrf.conf')
-rw-r--r--doc/config/conf.d/csrf.conf101
1 files changed, 101 insertions, 0 deletions
diff --git a/doc/config/conf.d/csrf.conf b/doc/config/conf.d/csrf.conf
new file mode 100644
index 00000000..bd11ddf5
--- /dev/null
+++ b/doc/config/conf.d/csrf.conf
@@ -0,0 +1,101 @@
+#######################################################################
+##
+## CSRF Protection Module
+## ----------------
+##
+## Make sure to load "mod_auth" before (or whatever is supposed to set
+## REMOTE_USER).
+##
+server.modules += ( "mod_csrf" )
+
+## Activate CSRF module:
+##
+## If module is activated and (REMOTE_USER not empty or
+## csrf.require-user is disabled) the module makes sure the client
+## receives a token unless it has a valid token which is less than
+## csrf.ttl/4 seconds old
+##
+## Default:
+# csrf.activate = "disable"
+
+## Use conditions to activate protection for certain URLs:
+# $HTTP["url"] =~ "^/(someurl|cgi-bin)/(.+)" {
+# csrf.activate = "enable"
+# }
+
+## CSRF-protect all requests
+##
+## As soon as CSRF is activated all requests are by default protected
+## (event GET requests), i.e. require the client to send a valid CSRF
+## token. You can disable protection to just make sure the client
+## receives a valid token for future requests.
+##
+## Default:
+# csrf.protect = "enable"
+
+## Don't require CSRF for GET requests (but still send tokens in
+## response)
+# csrf.activate = "enable"
+# $HTTP["request-method"] == "GET" {
+# csrf.protect = "disable"
+# }
+
+## Require a logged in user
+##
+## To prevent mistakes in the config by default a REMOTE_USER is
+## required. If your users are authenticated in another way (say client
+## ip address) and you don't have REMOTE_USER you still can use this
+## module to prevent CSRF from external sites, but you need to disable
+## this option.
+##
+## Default:
+# csrf.require-user = "enable"
+
+## Activate debug logging
+##
+## Default:
+# csrf.debug = "disable"
+
+## Hash function to use for HMAC
+##
+## Supports whatever your openssl library recognizes
+##
+## Default:
+# csrf.hash = "sha256"
+
+## HTTP Header name for CSRF tokens
+##
+## Header name for both HTTP requests and HTTP responses.
+##
+## A client application needs to read this header from responses and
+## copy it into new requests to gain access to protected resources.
+##
+## Default:
+# csrf.header = "X-Csrf-Token"
+
+## Secret key for HMAC to "sign" token data with
+##
+## Only set this if you need tokens to stay valid across a load-balanced
+## setup. If set needs to be at least 20 characters long. Use some
+## secure "password" generator if you need this (e.g. "pwgen -s 32 1")
+##
+## Default: create a random 20-byte secret on each restart
+# csrf.secret = "..."
+
+## Default Time-To-Live for a token
+##
+## How long (in seconds) a token is valid; after csrf.ttl/4 seconds the
+## module will send the client a new token.
+##
+## Your client applications still need to be able to handle token
+## timeouts (i.e. retry requests with the new token they received).
+##
+## A token will also be valid csrf.ttl seconds *before* its timestamp
+## (to avoid problems with time sync between multiple nodes in a
+## cluster)
+##
+## Default: (10 minutes)
+# csrf.ttl = 600
+
+##
+#######################################################################
View Lorry Controller Status