CSRF protection

Overview

CSRF (Cross-Site Request Forgery) is an attack vector in which the authenticated victim user that visits a sensitive site, such as a bank account, is lured to click on a malicious link attempting a fraudulent operation, such as a bank transfer, on that sensitive site. The link may be sent over email or in a hidden frame in another site. WAF provides protection against CSRF attacks by validating the Origin header for AJAX POST requests (default configuration).

Prerequisites

  • Verify any attached application services to ensure proper security after changes are deployed.

  • You need to have a user role of Security Manager or Administrator to manage a WAF policy.

How to protect from CSRF

Add CSRF protection to URLs

Add CSRF protection for specific URLs on applications, or exclude certain URLs from CSRF protection. Excluding CSRF protection may be required for applications with different request origins.

By default, CSRF is disabled. When it is enabled, the default wildcard (*) URL enable protection on all URLs. You can use this procedure to specify URLs to protect. In this case, you need to remove the wildcard URL. In addition, you can exclude URLs from CSRF protection based on the enforecment action.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the menu, select CSRF.

  5. If CSRF is not yet enabled, toggle the Enable button.

    A list of URLs with CSRF protection is displayed. By default, a wildcard (*) URL is added to protect against all URLs.

  6. Click Add URL.

  7. Add the URL to the CSRF list.

  8. For Choose Method select the URL method.

  9. For Enforcement Action select one an action you want to the policy to take. The policy goes through the list to find the first match for the method and URL combination. If a matching entry in the list is found, the configured action will be performed. Actions are:

    1. None: The policy does not enforce the URL when a CSRF attack is detected. This option should be used to allow the URL.

    2. Verify Origin: The policy verifies and detects a CSRF attack on applications.

      Note: This enforcement action requires host names.

  10. Click Add.

  11. Click Add Host Names or Manage Host Names to add authorized host names to verify the origin of the URL.

    1. In the Name field, type the host name that is used to access the application .

    2. Select the following in the sub-domains field:

      1. Select Include if you also want to use all sub-domains of the specified host name to access the application. The policy matches all FQDNs, and inserts WAF cookies into responses from the sub-domains of the host name.

      2. Select Exclude if only the specified host name can access the application.

    3. Click Save. The host name is added to the policy.

  12. Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.

  13. Click Deploy to deploy changes.

Manage CSRF violations

Manage how the policy handles detected CSRF attacks.

For details about default template settings for violations, see CSRF violations

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click CSRF.

  5. Click Violations.

    The CSRF Violations panel opens.

  6. Select the policy action when the policy detects a CSRF attack:

    1. Select one of the following protection settings:

      1. Alarm - Sends an alert to the event log that an attack was detected.

      2. Alarm & Block - Sends an alert to the event log and blocks traffic.

      3. Disabled - The policy does not detect or enforce CSRF attacks.

  7. Click Save.

The CSRF is updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.