Cross-Site Request Forgery (CSRF)

Version 8.5+

Default in version 8.6+

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like adding new users, changing their email address, and so forth. If the victim is part of a "Super Admin" user group, CSRF can compromise the entire web application.

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to let a user agent gain permission to access selected resources from a server on a different origin (domain) than the site currently in use. A user agent makes a cross-origin HTTP request when it requests a resource from a different domain, protocol, or port than the one from which the current document originated.

The configuration options related to CSRF and CORS are:

##################################################
############### Cross-Site Request Forgery (CSRF):
##################################################
$CSRF_enabled          = true;
$CSRF_token_identifier = "CSRFToken";
$CORS_whitelist        = array();
##################################################
##################################################

Configuration options explained

  • $CSRF_enabled - simply enables the feature for the whole system
  • $CSRF_token_identifier - defines the name of the query string parameter used for CSRF token validation. Note: it is best to not change this (ie. you don't have to add it to config.php)
  • $CORS_whitelist - allows other systems to make cross-origin requests. The elements of this configuration option should follow the <scheme>://<hostname> syntax