Issue
- How to enable CSRF Token in order to prevent CSRF attacks in Liferay?
Environment
- Liferay DXP 7.2
Resolution
-
Liferay's p_auth token protects against CSRF and is enabled by default. Here is the main code that handles the CSRF tokens: https://github.com/liferay/liferay-portal/blob/7.2.x/portal-impl/src/com/liferay/portal/security/auth/SessionAuthToken.java
##
## Authentication Token
##
#
# Set this to false to disable CSRF protection in the portal. Disabling
# CSRF protection is not recommended since all features become vulnerable
# to CSRF attacks.
#
# The checks can be disabled for specific actions via the property
# "auth.token.ignore.actions" or for specific portlets via the init
# parameter "check-auth-token" in portlet.xml.
#
# Env: LIFERAY_AUTH_PERIOD_TOKEN_PERIOD_CHECK_PERIOD_ENABLED
#
auth.token.check.enabled=true
Additional Information
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión