Issue
- How to enable CSRF Token in order to prevent CSRF attacks in Liferay?
Environment
- Liferay DXP 7.2
Resolution
- Liferay's p_auth token protects against CSRF and is enabled by default. Here is the main code that handles the CSRF tokens: https://github.com/liferay/liferay-portal/blob/7.2.x/portal-impl/src/com/liferay/portal/security/auth/SessionAuthToken.java
##
## Authentication Token
##
#
# Set this to false to disable CSRF protection in the portal. Disabling
# CSRF protection is not recommended since all features become vulnerable
# to CSRF attacks.
#
# The checks can be disabled for specific actions via the property
# "auth.token.ignore.actions" or for specific portlets via the init
# parameter "check-auth-token" in portlet.xml.
#
# Env: LIFERAY_AUTH_PERIOD_TOKEN_PERIOD_CHECK_PERIOD_ENABLED
#
auth.token.check.enabled=true
Additional Information
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In