terraform-aws-waf-owasp icon indicating copy to clipboard operation
terraform-aws-waf-owasp copied to clipboard

Published 20 hours ago verified publisher icon binbashar

Customize CSRF Headers

Open relnetops opened this issue 3 years ago • 4 comments

Describe the Feature

The header(s) used for the CSRF token set should be customizable.

Expected Behavior

Define one or more custom headers to validate for a CSRF token.

Use Case

The particular use case is a WAF fronting webooks for the Twilio REST Api. That api is not customizable to allow custom headers. Their documentation recommends disabling CSRF protection(?). (I'm currently attempting to work with Twilio support on this.) By default, Twilio adds a X-Twilio-Signature header that can be used to validate requests. Without supporting custom headers on the WAF, I'm forced to drop the CSRF protection down to "COUNT".

Describe Ideal Solution

Something like this:

rule_csrf_headers = [{
  field = "X-Twilio-Signature"
  size = 28
  operator = "GTE"
}]

Alternatives Considered

Disabling CSRF protection (far from ideal).

Additional Context

https://www.twilio.com/docs/usage/security#validating-requests

relnetops avatar Sep 23 '21 13:09 relnetops

@relnetops Thanks for your contribution. Sorry we took that long to respond. We'll review your ISSUE and consider it for this 2022 Q1.

We always encourage our users to create a PR if it's under your possibilities. It would be great if you feel like contributing :)

CC: @binbashar/leverage-project-terraform-admin @binbashar/leverage-project-terraform-dev

exequielrafaela avatar Feb 10 '22 15:02 exequielrafaela

@relnetops I can see the module supports a rule_csrf_header variable which can be overridden to specify a custom one. Would that cover your basic use case? -- At least for one header, not multiple though.

diego-ojeda-binbash avatar Feb 10 '22 17:02 diego-ojeda-binbash

@diego-ojeda-binbash Yes, possibly. I'll test it and let you know. Thank you.

relnetops avatar Feb 10 '22 19:02 relnetops

@diego-ojeda-binbash I tried a custom rule_csrf_header, but it doesn't work for Twilio. It might be case-sensitive, or the length is wrong. Here's the CSRF token filter with the custom header:

The length of the Header 'x-twilio-signature' is equal to 36.

It needs to be as I detailed in this ticket:

The length of the Header 'X-Twilio-Signature' is greater than or equal to 28.

relnetops avatar Feb 16 '22 14:02 relnetops

Solved at https://github.com/binbashar/terraform-aws-waf-owasp/pull/35

exequielrafaela avatar Mar 23 '23 17:03 exequielrafaela