diff options
Diffstat (limited to 'doc/config/conf.d/csrf.conf')
-rw-r--r-- | doc/config/conf.d/csrf.conf | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/doc/config/conf.d/csrf.conf b/doc/config/conf.d/csrf.conf new file mode 100644 index 00000000..bd11ddf5 --- /dev/null +++ b/doc/config/conf.d/csrf.conf @@ -0,0 +1,101 @@ +####################################################################### +## +## CSRF Protection Module +## ---------------- +## +## Make sure to load "mod_auth" before (or whatever is supposed to set +## REMOTE_USER). +## +server.modules += ( "mod_csrf" ) + +## Activate CSRF module: +## +## If module is activated and (REMOTE_USER not empty or +## csrf.require-user is disabled) the module makes sure the client +## receives a token unless it has a valid token which is less than +## csrf.ttl/4 seconds old +## +## Default: +# csrf.activate = "disable" + +## Use conditions to activate protection for certain URLs: +# $HTTP["url"] =~ "^/(someurl|cgi-bin)/(.+)" { +# csrf.activate = "enable" +# } + +## CSRF-protect all requests +## +## As soon as CSRF is activated all requests are by default protected +## (event GET requests), i.e. require the client to send a valid CSRF +## token. You can disable protection to just make sure the client +## receives a valid token for future requests. +## +## Default: +# csrf.protect = "enable" + +## Don't require CSRF for GET requests (but still send tokens in +## response) +# csrf.activate = "enable" +# $HTTP["request-method"] == "GET" { +# csrf.protect = "disable" +# } + +## Require a logged in user +## +## To prevent mistakes in the config by default a REMOTE_USER is +## required. If your users are authenticated in another way (say client +## ip address) and you don't have REMOTE_USER you still can use this +## module to prevent CSRF from external sites, but you need to disable +## this option. +## +## Default: +# csrf.require-user = "enable" + +## Activate debug logging +## +## Default: +# csrf.debug = "disable" + +## Hash function to use for HMAC +## +## Supports whatever your openssl library recognizes +## +## Default: +# csrf.hash = "sha256" + +## HTTP Header name for CSRF tokens +## +## Header name for both HTTP requests and HTTP responses. +## +## A client application needs to read this header from responses and +## copy it into new requests to gain access to protected resources. +## +## Default: +# csrf.header = "X-Csrf-Token" + +## Secret key for HMAC to "sign" token data with +## +## Only set this if you need tokens to stay valid across a load-balanced +## setup. If set needs to be at least 20 characters long. Use some +## secure "password" generator if you need this (e.g. "pwgen -s 32 1") +## +## Default: create a random 20-byte secret on each restart +# csrf.secret = "..." + +## Default Time-To-Live for a token +## +## How long (in seconds) a token is valid; after csrf.ttl/4 seconds the +## module will send the client a new token. +## +## Your client applications still need to be able to handle token +## timeouts (i.e. retry requests with the new token they received). +## +## A token will also be valid csrf.ttl seconds *before* its timestamp +## (to avoid problems with time sync between multiple nodes in a +## cluster) +## +## Default: (10 minutes) +# csrf.ttl = 600 + +## +####################################################################### |