You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/04/15 17:42:43 UTC

[ofbiz-framework] branch release18.12 updated: Documented: Adds the CSRF defense documentation (missed the add last time)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 3e22e45  Documented: Adds the CSRF defense documentation (missed the add last time)
3e22e45 is described below

commit 3e22e45c36a22de2f911292aa5cbde2d1582d129
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Wed Apr 15 19:42:39 2020 +0200

    Documented: Adds the CSRF defense documentation (missed the add last time)
---
 .../docs/asciidoc/_include/sy-CSRF-defense.adoc    | 47 ++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
new file mode 100644
index 0000000..4c380ff
--- /dev/null
+++ b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
@@ -0,0 +1,47 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+////
+
+= CSRF defense
+== How is done the CSRF defense in Apache OFBiz and how to adapt it if needed
+The Apache OFBiz Project
+Release 17.12
+
+:imagesdir: ../../themes/common-theme/webapp/images/img/
+ifdef::backend-pdf[]
+:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center]
+:source-highlighter: rouge
+endif::[]
+
+=== The same-Site attribute
+
+[quote,According to OWASP ZAP]
+____
+The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
+____
+
+By default OOTB the SameSiteFilter property sets the same-site attribute value to 'strict. SameSiteFilter allows to change to 'lax' if needed
+
+
+===== Properties
+
+The _security.properties_ file contains related properties:
+
+    # -- By default the SameSite value in SameSiteFilter is 'strict'.
+    # -- This property allows to change to 'lax' if needed.
+    SameSiteCookieAttribute=