CSRF Referer Validation

Ryan Carrie shared this idea ago

Completed

Can we implement a native Yellowfin CSRF Prevention?

I like this idea 0

Replies (2)

Ryan Carrie ●

The good news is that Yellowfin has a built-in CSRF filter that can be enabled. This provides mitigation to CSRF attacks by introducing a token to each browser session. If the token doesn't match the request, the request is killed. You can find more information on that here.

We currently have the discussion of providing referer validation as the second fail-safe against CSRF.

Thanks,

Ryan

Reply URL

Ryan Carrie ●

This has been implemented as of 7.3.13 and 7.4.7 and can be enabled by adding the following to your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file:

<filter>
 <filter-name>RefererFilter</filter-name>
 <filter-class>com.hof.servlet.RefererFilter</filter-class>
 <init-param>
  <param-name>hostingdomainURL</param-name>
  <param-value>http://localhost:8080</param-value>;
 </init-param>
 <init-param>
  <param-name>ignore</param-name>
  <param-value>/RunDashboard.i4,/RunReport.i4,/*.js</param-value>
 </init-param>
</filter>
<filter-mapping>
 <filter-name>RefererFilter</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

Thanks,

Ryan

This has been implemented as of 7.3.13 and 7.4.7 and can be enabled by adding the following to your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file:

<filter>
 <filter-name>RefererFilter</filter-name>
 <filter-class>com.hof.servlet.RefererFilter</filter-class>
 <init-param>
  <param-name>hostingdomainURL</param-name>
  <param-value>http://localhost:8080</param-value>;
 </init-param>
 <init-param>
  <param-name>ignore</param-name>
  <param-value>/RunDashboard.i4,/RunReport.i4,/*.js</param-value>
 </init-param>
</filter>
<filter-mapping>
 <filter-name>RefererFilter</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

Thanks,

Ryan

Reply URL