This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from 1e8ffb4 Improved: Adds the download-the-gradle-wrapper section new 242e62d Documented: Adds the CSRF defense documentation new 9530d4b Documented: Adds the CSRF defense documentation (missed the add last time) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../docs/asciidoc/_include/sy-CSRF-defense.adoc | 47 ++++++++++++++++++++++ framework/security/src/docs/asciidoc/security.adoc | 1 + 2 files changed, 48 insertions(+) create mode 100644 framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc |
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 242e62d6f3c74b31980bd5cf46d33b2d0a886fe1 Author: Jacques Le Roux <[hidden email]> AuthorDate: Wed Apr 15 19:37:48 2020 +0200 Documented: Adds the CSRF defense documentation --- framework/security/src/docs/asciidoc/security.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/framework/security/src/docs/asciidoc/security.adoc b/framework/security/src/docs/asciidoc/security.adoc index b107242..d8562ee 100644 --- a/framework/security/src/docs/asciidoc/security.adoc +++ b/framework/security/src/docs/asciidoc/security.adoc @@ -19,5 +19,6 @@ under the License. = Security +include::_include/sy-CSRF-defense.adoc[leveloffset=+1] include::_include/sy-password-and-JWT.adoc[leveloffset=+1] include::_include/sy-impersonation.adoc[leveloffset=+1] |
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 9530d4b441619f75fa40ef44eb1ee08a6865b59c Author: Jacques Le Roux <[hidden email]> AuthorDate: Wed Apr 15 19:42:39 2020 +0200 Documented: Adds the CSRF defense documentation (missed the add last time) --- .../docs/asciidoc/_include/sy-CSRF-defense.adoc | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc new file mode 100644 index 0000000..4c380ff --- /dev/null +++ b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc @@ -0,0 +1,47 @@ +//// +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +//// + += CSRF defense +== How is done the CSRF defense in Apache OFBiz and how to adapt it if needed +The Apache OFBiz Project +Release 17.12 + +:imagesdir: ../../themes/common-theme/webapp/images/img/ +ifdef::backend-pdf[] +:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center] +:source-highlighter: rouge +endif::[] + +=== The same-Site attribute + +[quote,According to OWASP ZAP] +____ +The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks. +____ + +By default OOTB the SameSiteFilter property sets the same-site attribute value to 'strict. SameSiteFilter allows to change to 'lax' if needed + + +===== Properties + +The _security.properties_ file contains related properties: + + # -- By default the SameSite value in SameSiteFilter is 'strict'. + # -- This property allows to change to 'lax' if needed. + SameSiteCookieAttribute= |
Free forum by Nabble | Edit this page |