Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This section describes how secure a Digizuite installation using cross-site request forgery protection

Recommendation

Digizuite is recommended to have CSRF setup in order to protect against CSRF (Cross Site Request forgery) attacks. 

Info

What is a CSRF attack?

The DAM Center's server validates the user making the request by using a session, which is created when the user logs in.

A user's session is identified by an ASP.NET session cookie. 

A malicious website may impersonate the user by making a request to the API. Such a request will also contain the ASP.NET session cookie, which makes the server believe that it's the authenticated user making the request. 

Without CSRF protection, such a request will succeed.

How does CSRF protection work?

When the user logs in, the API returns a CSRF cookie and a CSRF token.

When subsequent requests are mode, the CSRF token is added to the HTTP(S)'s request's headers. The API will then validate the CSRF cookie and CSRF token. 

The "protection" works because a malicious website will not have access to the CSRF token, so even if the ASP.NET session cookie is sent, the CSRF validation will fail, and the request will not succeed.

Digizuite DAM Center

CSRF is configured in Digizuite DamCenter int the appSettings of the web.config file.


The random string used when generating cryptographic CSRFToken, The Install script generates this, if it's not already in the web.config.

<add key="CSRFTokenPepper" value="random_string_at_least_10_characters_long" />

Another random string, which is used when generating cryptographic CSRFToken, The Install script generates this, if it's not already in the web.config.

<add key="CSRFTokenPepperCookie" value="another_random_string_at_least_10_characters_long" />

If either CSRFTokenPepper or CSRFTokenPepperCookie are altered, then the active sessions are cleared, which means that users are forced to log in again.

If this setting is added appSettings, CSRF protection is disabled. It's enabled by default.

<add key="CSRFDisabled" value="true" />

Remark

Browsers may be forced to re-login, if the browser loses the X-CSRF-Token due to a page refresh

  • No labels