CSRF prevention

Hugo Leisink
30 October 2008, 00:38
Since version 6.10, Hiawatha has protection against Cross-Site Request Forgery. You can turn this feature on per virtual host:
VirtualHost {
PreventCSRF = yes

If it's turned on, Hiawatha will not send cookies to a CGI process when a POST request has been received with a hostname from the Referer HTTP header not matching the Host HTTP header line. This will automaticly logout users from that website. I choose to only protect against POST-CSRF requests, because 99.99% of all websites use POST requests to add, modify or delete information within the website, not GET requests. Almost all GET requests with a Referer not matching the Host are not dangerous. They are because of a simple and harmless link on one website to another.
19 February 2009, 01:49

I've just desided to register here, so... hello everyone !
Hugo Leisink
19 February 2009, 10:26
This topic has been closed.