The CSRF Protection Framework :headding-anchor:the-csrf-protection-framework
In addition to the Apache Sling Referrer Filter, Adobe also provides a new CSRF Protection Framework to protect against this type of attack.
The framework makes use of tokens to guarantee that the client request is legitimate. The tokens are generated when the form is sent to the client and validated when the form is sent back to the server.
NOTE
There are no tokens on the publish instances for anonymous users.
Requirements :headding-anchor:requirements
Dependencies :headding-anchor:dependencies
Any component that relies on the granite.jquery
dependency can benefit from the CSRF Protection Framework automatically. If not, for any of your components, you must declare a dependency to granite.csrf.standalone
before you can use the framework.
Replicating the Crypto Key :headding-anchor:replicating-crypto-keys
To use the tokens, you need to replicate the HMAC binary to all the instances in your deployment. See Replicating the HMAC key for more details.
NOTE
Make sure you also make the necessary Dispatcher configuration changes to use the CSRF Protection Framework:
NOTE
If you use the manifest cache with your web application, make sure you add “*” to the manifest to make sure the token does not take the CSRF token generation call offline. For more information, consult this link.
For more information on CSRF attacks and ways to mitigate them, see the Cross-Site Request Forgery OWASP page.
recommendation-more-help
19ffd973-7af2-44d0-84b5-d547b0dffee2