CSRF protection


#1

Does FarCry 7 have any form of CSRF protection baked in?


#2

Right now you can add it to your own forms but formtools itself does not add tokens/validation to generated forms.

I’ve recently been looking at enforcing it on all Core generated forms but the first project we did a POC in some forms we needed to roll back… We later found the issue was related to a different change, but I’ve yet to revisit it due to time constraints.

If it’s something you need immediately let me know and I’ll see what we can do. It’s near the top of my list.


#3

Hey Justin,

Thanks for getting back to me with that. It’s not something we need immediately, but ideally within the next month.

If you’re looking to enforce on all Core generated forms, have you thought about extending this capability to plugins and forms generated within plugins using FarCry framework?


#4

If the plugins/application are using Core’s ft:form and ft:processform then I think it should be automatic, I’d enable it by default and provide an attribute to turn it off in case the developer needed to for some reason. We’d use a generated key for each form to avoid the same token being used everywhere, though the impact on session size should be minimal.

If the plugin/application was outputting its own /fields and doing it’s own validation then Core doesn’t really have a way to affect that code, but the calls to csrfGenerateToken and csrfVerifyToken are trivial to add as needed in that case I think.


#5

I’ve added initial CSRF token generation/validation on all forms generated by ft:form and processed by ft:processform. It defaults to on, however it’s configurable so that it can be turned off for the app if there were any issues, or turned off per ft:form/ft:processform tag individually.

Code is currently in the currently unreleased p730 branch here;

Please let me know if that covers what you need or if you have any other ideas that would improve the feature :slight_smile:


#6

Hey Justin,

That’s awesome. I’ll take a look.

Is there a rough idea on when p730 will be released?

Thanks :slight_smile:


#7

Most likely we’ll release p730 before Xmas, it has actually been around for a long time but the features that previously differentiated it from p720 weren’t really made use of much by Core itself so we didn’t publicise it or push the release heavily. There’s a few things now which mean a minor version bump is necessary (including this change).