views:

224

answers:

1

I'm looking for a (hopefully straightforward) way to add CSRF protection to an application build on Spring WebFlow 2.

An approach that migrates well to Spring WebFlow 3 (when released) is preferred.

+1  A: 

The easiest way to prevent CSRF it to check the referer request.getHeader("referer"); to make sure the request is coming from the same domain. Its common to see this CSRF protection system on embedded network hardware with limited memory requirements, Motorola uses this method on most of their hardware. This isn't the most secure CSRF protection, token based protection is better but both systems can still be bypassed with xss. The biggest problem with token based CSRF protection is that it takes alot of time to go back and fix every request and you will probably miss a few requests.

A secure way to implement this is to check the referer on all incoming POST requests, and use POST for sensitive functions like changing passwords, adding user accounts, executing code, making configuration changes. GET should only be used for navigation or searching, basically GET is safe for anything that doesn't cause a state change.

Make sure you test your site with a xss scanner.

Rook