You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/10 14:58:38 UTC

documentation commit: updated refs/heads/master to a3101e9

Repository: couchdb-documentation
Updated Branches:
  refs/heads/master 924136725 -> a3101e9af


Remove new CSRF mechanism


Project: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/commit/a3101e9a
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/tree/a3101e9a
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/diff/a3101e9a

Branch: refs/heads/master
Commit: a3101e9af7588583dd554ccf2e7aa2d1c4eb6a6b
Parents: 9241367
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 10 12:32:32 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 10 12:32:32 2015 +0100

----------------------------------------------------------------------
 src/config/http.rst | 86 ------------------------------------------------
 1 file changed, 86 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-documentation/blob/a3101e9a/src/config/http.rst
----------------------------------------------------------------------
diff --git a/src/config/http.rst b/src/config/http.rst
index 9a93479..6a76a85 100644
--- a/src/config/http.rst
+++ b/src/config/http.rst
@@ -526,92 +526,6 @@ with the vhost name prefixed by ``cors:``. Example case for the vhost
 Cross-site Request Forgery protection
 =====================================
 
-.. config:section:: csrf :: Cross-site Request Forgery
-
-    .. versionadded:: 2.0 added CSRF protection, see JIRA :issue:`2762`
-
-    `CSRF`, or "Cross-site Request Forgery" is a web-based exploit
-    where an attacker can cause a user agent to make an authenticated
-    form post against a foreign site without their consent. The attack
-    works because a user agent will send any cookies it has along with
-    the request. The attacker does not see the response, nor can they
-    see the user agent's cookies. The attacker hopes to gain
-    indirectly, e.g, by posting to a password reset form or cause
-    damage by issuing a database delete request.
-
-    To prevent this, CouchDB can require a matching request header
-    before processing any write request (defined as any method other
-    than `GET`, `HEAD` or `OPTIONS`). The correct value of this header
-    is unknown to the attacker and so their attack fails.
-
-    To enable CSRF protection, add the custom request header
-    `X-CouchDB-CSRF` wih value `true` to any request. The response will
-    return a cookie named `CouchDB-CSRF`.
-
-    If CouchDB sees the `CouchDB-CSRF` cookie in a request it expects
-    the same value to be sent in the `X-CouchDB-CSRF` header. If the
-    header is missing or does not match the cookie, a `403 Forbidden`
-    response is generated. Additionally, CouchDB logs a warning, to
-    allow administrators to detect potential CSRF attacks in progress.
-
-    Careful clients can verify whether their requests were protected
-    from CSRF by examining the `X-CouchDB-CSRF-Valid` response
-    header. It should be present and its value should be `true`.
-
-    CSRF cookies expire after a configurable period of time but will
-    automatically be refreshed by CouchDB on subsequent requests. An
-    expired CSRF cookie is equivalent to not sending the cookie (and
-    thus the request will not be protected from CSRF).
-
-    The following pseudo-code shows how to use the CSRF protection in
-    an opportunistic fashion, gracefully degrading when the mechanism
-    is not available.
-
-    .. code-block:: javascript
-
-        if (hasCookie("CouchDB-CSRF")) {
-          setRequestHeader("X-CouchDB-CSRF", cookieValue("CouchDB-CSRF"));
-        } else {
-          setRequestHeader("X-CouchDB-CSRF", "true");
-        }
-
-    .. config:option:: mandatory
-
-        CouchDB can insist on CSRF Cookie/Header for all requests
-        (except those to the welcome handler, /, so you can acquire a
-        cookie) with this setting. The default is false::
-
-            [csrf]
-            mandatory = true
-
-    .. config:option:: mime_types
-
-        CouchDB will only enforce CSRF protection for the listed mime
-        types. The default list is application/x-www-form-urlencoded,
-        multipart/form-data, text/plain::
-
-            [csrf]
-            mime_types = text/plain
-
-    .. config:option:: secret
-
-        All CSRF cookies are signed by the server using this value. A
-        random value will be chosen if you don't specify it, but we
-        recommend setting it yourself, especially if you are running a
-        cluster of more than one node. The secret must match on all
-        nodes in a cluster to avoid sadness::
-
-            [csrf]
-            secret = b6fdf2e8213a36dbcca34e61e4000967
-
-    .. config:option:: timeout
-
-        All CSRF cookies expire after `timeout` seconds. The default
-        is an hour::
-
-            [csrf]
-            timeout = 3600
-
 .. _config/vhosts:
 
 Virtual Hosts