DC 5.9 Configuring CSRF protection

Owned by Rasmus Hjelmberg Duemose Hansen
Oct 16, 2023
2 min read

This section describes how secure a Digizuite installation using cross-site request forgery protection

Recommendation

Digizuite is recommended to have CSRF setup in order to protect against CSRF (Cross Site Request forgery) attacks. 

Info

What is a CSRF attack?

The DAM Center's server validates the user making the request by using a session, which is created when the user logs in.

A user's session is identified by an ASP.NET session cookie. 

A malicious website may impersonate the user by making a request to the API. Such a request will also contain the ASP.NET session cookie, which makes the server believe that it's the authenticated user making the request. 

Without CSRF protection, such a request will succeed.

How does CSRF protection work?

When the user logs in, the API returns a CSRF cookie and a CSRF token.

When subsequent requests are mode, the CSRF token is added to the HTTP request headers. The API will then validate the CSRF cookie and CSRF token. 

The "protection" works because a malicious website will not have access to the CSRF token, so even if the ASP.NET session cookie is sent, the CSRF validation will fail, and the request will not succeed.

Digizuite DAM Center

CSRF is configured in the appSettings of the  Digizuite DamCenter's web.config file.


The random string used when generating cryptographic CSRFToken, The Install script generates this, if it's not already in the web.config.

<add key="CSRFTokenPepper" value="random_string_at_least_10_characters_long" />

Another random string, which is used when generating cryptographic CSRFToken, The Install script generates this, if it's not already in the web.config.

<add key="CSRFTokenPepperCookie" value="another_random_string_at_least_10_characters_long" />

If either CSRFTokenPepper or CSRFTokenPepperCookie are altered, then the active sessions are cleared, which means that users are forced to log in again.

If this setting is added to appSettings, CSRF protection will be disabled. It's enabled by default.

<add key="CSRFDisabled" value="true" />

Remark

Browsers may be forced to re-login, if the browser loses the X-CSRF-Token due to a page refresh.

This can be mitigated by checking "Remember login credentials" when logging in. if that is done, the DAM Center will automatically login the user upon a page refresh.