How to enable CSRF Token in Liferay?

Issue

  • How to enable CSRF Token in order to prevent CSRF attacks in Liferay?

Environment

  • Liferay DXP 7.2

Resolution

  • Liferay's p_auth token protects against CSRF and is enabled by default. Here is the main code that handles the CSRF tokens: https://github.com/liferay/liferay-portal/blob/7.2.x/portal-impl/src/com/liferay/portal/security/auth/SessionAuthToken.java
    ##
    ## Authentication Token
    ##

    #
    # Set this to false to disable CSRF protection in the portal. Disabling
    # CSRF protection is not recommended since all features become vulnerable
    # to CSRF attacks.
    #
    # The checks can be disabled for specific actions via the property
    # "auth.token.ignore.actions" or for specific portlets via the init
    # parameter "check-auth-token" in portlet.xml.
    #
    # Env: LIFERAY_AUTH_PERIOD_TOKEN_PERIOD_CHECK_PERIOD_ENABLED
    #
    auth.token.check.enabled=true

Additional Information

这篇文章有帮助吗?
0 人中有 0 人觉得有帮助