[ofbiz-framework] 02/02: Documented: Adds the CSRF defense documentation (missed the add last time)

Wed, 15 Apr 2020 10:44:26 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 9530d4b441619f75fa40ef44eb1ee08a6865b59c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Apr 15 19:42:39 2020 +0200

    Documented: Adds the CSRF defense documentation (missed the add last time)
---
 .../docs/asciidoc/_include/sy-CSRF-defense.adoc    | 47 ++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc 
b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
new file mode 100644
index 0000000..4c380ff
--- /dev/null
+++ b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
@@ -0,0 +1,47 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+////
+
+= CSRF defense
+== How is done the CSRF defense in Apache OFBiz and how to adapt it if needed
+The Apache OFBiz Project
+Release 17.12
+
+:imagesdir: ../../themes/common-theme/webapp/images/img/
+ifdef::backend-pdf[]
+:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, 
align=center]
+:source-highlighter: rouge
+endif::[]
+
+=== The same-Site attribute
+
+[quote,According to OWASP ZAP]
+____
+The SameSite attribute is an effective counter measure to cross-site request 
forgery, cross-site script inclusion, and timing attacks.
+____
+
+By default OOTB the SameSiteFilter property sets the same-site attribute value 
to 'strict. SameSiteFilter allows to change to 'lax' if needed
+
+
+===== Properties
+
+The _security.properties_ file contains related properties:
+
+    # -- By default the SameSite value in SameSiteFilter is 'strict'.
+    # -- This property allows to change to 'lax' if needed.
+    SameSiteCookieAttribute=

Reply via email to