Fortinet Document Library

Version:

Version:


Table of Contents

Handbook

Download PDF
Copy Link

Configuring CSRF protection

A cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.

Configuration overview

To protect back-end servers from CSRF attacks, you create two lists of items:

  • URL list—The URL list contains all the URLs that you want to protect. FortiADC will verify the anti-csrf token when you access the URL.
  • Page List—When FortiADC receives a request for a web page in the page list, it inserts a javascript in the web page. The script runs in the client's web browser and automatically appends a anti-csrf token.
Note

Parameter filters

In some cases, a request for a web page and the requests generated by its links have the same URL. FortiADC cannot distinguish between requests to add javascript to and requests to check for the anti-CSRF parameter.

To avoid this issue, you create unique Page List and URL List items by adding a parameter filter to them. The parameter filter allows you to add additional criteria to match in the URL or HTTP body of a request.

Create your configuration carefully, making sure that all the URLs in the list have corresponding entries in the page list. When FortiADC checks requests for the token but has not added the script to the corresponding web page, it blocks or takes other action against the request.

To configure a CSRF Protection policy:

  1. Go to Web Application Firewall.
  2. Click the Common Attacks Detection tab.
  3. Click the CSRF Protection tab
  4. Click Create New to display the configuration editor.
  5. Fill in the Name.
  6. Enable the Status.
  7. Modify the Action or Severity based on your requirements.
  8. Click Save to save the configuration.
  9. Click Edit to display the CSRF Protection.
  10. Click Create New in CSRF Page to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  11. Click Create New in CSRF URL to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  12. Click Save to save the configuration.
  13. Add the CSRF Protection policy to WAF profile.

CSRF Protection configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Action

Select which action FortiADC takes when it detects a missing or incorrect anti-CSRF parameter:

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when it logs a CSRF attack:

  • Low
  • Medium
  • High

The default value is Low.

Full URL Pattern

Supports regular expression.

Parameter Filter

Enable/disable Parameter Filter.

Parameter Name

Name of the parameter.

Parameter Value

Supports regular expression.

Configuring CSRF protection

A cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.

Configuration overview

To protect back-end servers from CSRF attacks, you create two lists of items:

  • URL list—The URL list contains all the URLs that you want to protect. FortiADC will verify the anti-csrf token when you access the URL.
  • Page List—When FortiADC receives a request for a web page in the page list, it inserts a javascript in the web page. The script runs in the client's web browser and automatically appends a anti-csrf token.
Note

Parameter filters

In some cases, a request for a web page and the requests generated by its links have the same URL. FortiADC cannot distinguish between requests to add javascript to and requests to check for the anti-CSRF parameter.

To avoid this issue, you create unique Page List and URL List items by adding a parameter filter to them. The parameter filter allows you to add additional criteria to match in the URL or HTTP body of a request.

Create your configuration carefully, making sure that all the URLs in the list have corresponding entries in the page list. When FortiADC checks requests for the token but has not added the script to the corresponding web page, it blocks or takes other action against the request.

To configure a CSRF Protection policy:

  1. Go to Web Application Firewall.
  2. Click the Common Attacks Detection tab.
  3. Click the CSRF Protection tab
  4. Click Create New to display the configuration editor.
  5. Fill in the Name.
  6. Enable the Status.
  7. Modify the Action or Severity based on your requirements.
  8. Click Save to save the configuration.
  9. Click Edit to display the CSRF Protection.
  10. Click Create New in CSRF Page to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  11. Click Create New in CSRF URL to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  12. Click Save to save the configuration.
  13. Add the CSRF Protection policy to WAF profile.

CSRF Protection configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Action

Select which action FortiADC takes when it detects a missing or incorrect anti-CSRF parameter:

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when it logs a CSRF attack:

  • Low
  • Medium
  • High

The default value is Low.

Full URL Pattern

Supports regular expression.

Parameter Filter

Enable/disable Parameter Filter.

Parameter Name

Name of the parameter.

Parameter Value

Supports regular expression.