Cross Site Request Forgery (CSRF) and Cross-Frame Scripting (XFS) protection in Lansa
Cross Site Request Forgery (CSRF) and Cross-Frame Scripting (XFS) protection in Lansa
Are there any Lansa best practices, documentation, and working examples for Cross Site Request Forgery (CSRF) and Cross-Frame Scripting (XFS) protection in Visual Lansa?
Re: Cross Site Request Forgery (CSRF) and Cross-Frame Scripting (XFS) protection in Lansa
Hi
As I understand, usually this kind of protection/consideration is something you handle underneath LANSA, in the code internally created by the product, transparent to the user, versus something you would like to consider when touching LANSA code. I would really suggest you send this question to LANSA support, in particular if you have a vulnerabilities report or something like that, so a case can be opened and followed thru, which could end as an enhancement request.
As I understand, usually this kind of protection/consideration is something you handle underneath LANSA, in the code internally created by the product, transparent to the user, versus something you would like to consider when touching LANSA code. I would really suggest you send this question to LANSA support, in particular if you have a vulnerabilities report or something like that, so a case can be opened and followed thru, which could end as an enhancement request.
Re: Cross Site Request Forgery (CSRF) and Cross-Frame Scripting (XFS) protection in Lansa
Thanks Dino ... will do!
Re: Cross Site Request Forgery (CSRF) and Cross-Frame Scripting (XFS) protection in Lansa
Hi Aidom,
Typically to mitigate against these attacks, server headers such as X-Frame-Origin can be set (most webservers allow configuration so that these headers are always sent, but as to *how* to do it -- depends very much on what webserver you are using). This is 'outside' of LANSA, as the webserver is typically either Apache or IIS.
The other method that can help is the use of CSP (Content Security Policy) Files.
Visual LANSA has had the ability to include these since SP2 of Version 14.
https://docs.lansa.com/14/en/lansa004/i ... 2_0165.htm
Visual LANSA ships with 3 different CSP (Low, Medium, Strict) files, but of course, these can (and should) be fine-tuned to your requirements.
A combination of these 2 things is usually enough to mitigate against CSRF and XFS.
Brendan.
Typically to mitigate against these attacks, server headers such as X-Frame-Origin can be set (most webservers allow configuration so that these headers are always sent, but as to *how* to do it -- depends very much on what webserver you are using). This is 'outside' of LANSA, as the webserver is typically either Apache or IIS.
The other method that can help is the use of CSP (Content Security Policy) Files.
Visual LANSA has had the ability to include these since SP2 of Version 14.
https://docs.lansa.com/14/en/lansa004/i ... 2_0165.htm
Visual LANSA ships with 3 different CSP (Low, Medium, Strict) files, but of course, these can (and should) be fine-tuned to your requirements.
A combination of these 2 things is usually enough to mitigate against CSRF and XFS.
Brendan.
Re: Cross Site Request Forgery (CSRF) and Cross-Frame Scripting (XFS) protection in Lansa
Thanks for the info BrendanB ... much appreciated!