|
11 | 11 |
|
12 | 12 | # Cross-Site Request Forgery (CSRF) |
13 | 13 |
|
| 14 | +Cross-Site Request Forgery (CSRF or XSRF) is a type of web attack that allows an attacker to send malicious requests to a web application on behalf of a legitimate user. |
| 15 | +The attack works by tricking the user's web browser into sending a request to the web application that the user did not intentionally make. This can allow an attacker to perform actions on the web application without the user's knowledge or consent. |
| 16 | + |
| 17 | +For example, consider a web application that allows users to transfer money between accounts. |
| 18 | +An attacker could craft a malicious link or form that, when clicked or submitted by a victim, would transfer money from the victim's account to the attacker's account. |
| 19 | +If the victim is logged into the web application and clicks the link or form, the web application would receive a request to transfer the money, and it would comply with the request because it appears to come from a legitimate user. |
| 20 | + |
| 21 | +To protect against CSRF attacks, Plone uses CSRF tokens to verify the authenticity of requests. |
| 22 | +CSRF tokens are unique, secret values that are generated by the web application and included in forms and links. |
| 23 | +When a form or link with a valid CSRF token is submitted, the web application can verify the authenticity of the request by checking the token. |
| 24 | +If the token is missing or invalid, the request is rejected. |
| 25 | + |
| 26 | +## Auto protection |
| 27 | + |
| 28 | +In Plone, CSRF protection is done almost transparently by [plone.protect](https://pypi.org/project/plone.protect/). |
| 29 | +One important aspect of `plone.protect` is that it performs the CSRF protection check on the database transaction commit, rather than at the beginning of the request. |
| 30 | +This means that the view can execute and make changes to the database, but the changes will not be persisted unless a valid CSRF token is present in the request. |
| 31 | + |
| 32 | +When a logged-in user requests a page, Plone automatically includes the auth token in all forms through the application of a transform for the `plone.transformchain` that adds a hidden field with the token. |
| 33 | +This includes, but is not limited to the following: |
| 34 | + |
| 35 | +- add and edit forms |
| 36 | +- control-panels |
| 37 | +- custom z3c-forms |
| 38 | + |
| 39 | +## Manual protection |
| 40 | + |
| 41 | +TODO |
| 42 | + |
| 43 | +## Allowing writes in absence of a protecting token |
| 44 | + |
| 45 | +TODO |
| 46 | + |
| 47 | +```{seealso} |
| 48 | +The [README file of `plone.protect`](https://github.com/plone/plone.protect/blob/master/README.rst) explains the usage and also validation in detail. |
| 49 | +``` |
0 commit comments