Native CSRF Prevention

Ryan Carrie shared this idea 1 year ago
Completed

Can we implement a native Yellowfin CSRF Prevention?

Comments (2)

photo
1

The good news is that Yellowfin has a built-in CSRF filter that can be enabled. This provides mitigation to CSRF attacks by introducing a token to each browser session. If the token doesn't match the request, the request is killed. You can find more information on that here.

We currently have the discussion of providing referer validation as the second fail-safe against CSRF.

Thanks,

Ryan

photo
1

This has been implemented as of 7.3.13 and 7.4.7 and can be enabled by adding the following to your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file:

<filter>
 <filter-name>RefererFilter</filter-name>
 <filter-class>com.hof.servlet.RefererFilter</filter-class>
 <init-param>
  <param-name>hostingdomainURL</param-name>
  <param-value>http://localhost:8080</param-value>;
 </init-param>
 <init-param>
  <param-name>ignore</param-name>
  <param-value>/RunDashboard.i4,/RunReport.i4,/*.js</param-value>
 </init-param>
</filter>
<filter-mapping>
 <filter-name>RefererFilter</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

Thanks,

Ryan