You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/10 14:58:38 UTC
documentation commit: updated refs/heads/master to a3101e9
Repository: couchdb-documentation
Updated Branches:
refs/heads/master 924136725 -> a3101e9af
Remove new CSRF mechanism
Project: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/commit/a3101e9a
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/tree/a3101e9a
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/diff/a3101e9a
Branch: refs/heads/master
Commit: a3101e9af7588583dd554ccf2e7aa2d1c4eb6a6b
Parents: 9241367
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 10 12:32:32 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 10 12:32:32 2015 +0100
----------------------------------------------------------------------
src/config/http.rst | 86 ------------------------------------------------
1 file changed, 86 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-documentation/blob/a3101e9a/src/config/http.rst
----------------------------------------------------------------------
diff --git a/src/config/http.rst b/src/config/http.rst
index 9a93479..6a76a85 100644
--- a/src/config/http.rst
+++ b/src/config/http.rst
@@ -526,92 +526,6 @@ with the vhost name prefixed by ``cors:``. Example case for the vhost
Cross-site Request Forgery protection
=====================================
-.. config:section:: csrf :: Cross-site Request Forgery
-
- .. versionadded:: 2.0 added CSRF protection, see JIRA :issue:`2762`
-
- `CSRF`, or "Cross-site Request Forgery" is a web-based exploit
- where an attacker can cause a user agent to make an authenticated
- form post against a foreign site without their consent. The attack
- works because a user agent will send any cookies it has along with
- the request. The attacker does not see the response, nor can they
- see the user agent's cookies. The attacker hopes to gain
- indirectly, e.g, by posting to a password reset form or cause
- damage by issuing a database delete request.
-
- To prevent this, CouchDB can require a matching request header
- before processing any write request (defined as any method other
- than `GET`, `HEAD` or `OPTIONS`). The correct value of this header
- is unknown to the attacker and so their attack fails.
-
- To enable CSRF protection, add the custom request header
- `X-CouchDB-CSRF` wih value `true` to any request. The response will
- return a cookie named `CouchDB-CSRF`.
-
- If CouchDB sees the `CouchDB-CSRF` cookie in a request it expects
- the same value to be sent in the `X-CouchDB-CSRF` header. If the
- header is missing or does not match the cookie, a `403 Forbidden`
- response is generated. Additionally, CouchDB logs a warning, to
- allow administrators to detect potential CSRF attacks in progress.
-
- Careful clients can verify whether their requests were protected
- from CSRF by examining the `X-CouchDB-CSRF-Valid` response
- header. It should be present and its value should be `true`.
-
- CSRF cookies expire after a configurable period of time but will
- automatically be refreshed by CouchDB on subsequent requests. An
- expired CSRF cookie is equivalent to not sending the cookie (and
- thus the request will not be protected from CSRF).
-
- The following pseudo-code shows how to use the CSRF protection in
- an opportunistic fashion, gracefully degrading when the mechanism
- is not available.
-
- .. code-block:: javascript
-
- if (hasCookie("CouchDB-CSRF")) {
- setRequestHeader("X-CouchDB-CSRF", cookieValue("CouchDB-CSRF"));
- } else {
- setRequestHeader("X-CouchDB-CSRF", "true");
- }
-
- .. config:option:: mandatory
-
- CouchDB can insist on CSRF Cookie/Header for all requests
- (except those to the welcome handler, /, so you can acquire a
- cookie) with this setting. The default is false::
-
- [csrf]
- mandatory = true
-
- .. config:option:: mime_types
-
- CouchDB will only enforce CSRF protection for the listed mime
- types. The default list is application/x-www-form-urlencoded,
- multipart/form-data, text/plain::
-
- [csrf]
- mime_types = text/plain
-
- .. config:option:: secret
-
- All CSRF cookies are signed by the server using this value. A
- random value will be chosen if you don't specify it, but we
- recommend setting it yourself, especially if you are running a
- cluster of more than one node. The secret must match on all
- nodes in a cluster to avoid sadness::
-
- [csrf]
- secret = b6fdf2e8213a36dbcca34e61e4000967
-
- .. config:option:: timeout
-
- All CSRF cookies expire after `timeout` seconds. The default
- is an hour::
-
- [csrf]
- timeout = 3600
-
.. _config/vhosts:
Virtual Hosts