§Protecting against Cross Site Request Forgery
Cross Site Request Forgery (CSRF) is a security exploit where an attacker tricks a victim’s browser into making a request using the victim’s session. Since the session token is sent with every request, if an attacker can coerce the victim’s browser to make a request on their behalf, the attacker can make requests on the user’s behalf.
It is recommended that you familiarize yourself with CSRF, what the attack vectors are, and what the attack vectors are not. We recommend starting with this information from OWASP.
There is no simple answer to what requests are safe and what are vulnerable to CSRF requests; the reason for this is that there is no clear specification as to what is allowable from plugins and future extensions to specifications. Historically, browser plugins and extensions have relaxed the rules that frameworks previously thought could be trusted, introducing CSRF vulnerabilities to many applications, and the onus has been on the frameworks to fix them. For this reason, Play takes a conservative approach in its defaults, but allows you to configure exactly when a check is done. By default, Play will require a CSRF check when all of the following are true:
- The request method is not
GET
,HEAD
orOPTIONS
. - The request has one or more
Cookie
orAuthorization
headers. - The CORS filter is not configured to trust the request’s origin.
Note: If you use browser-based authentication other than using cookies or HTTP authentication, such as NTLM or client certificate based authentication, then you must set
play.filters.csrf.header.protectHeaders = null
, which will protect all requests, or include the headers used in authentication inprotectHeaders
.
§Play’s CSRF protection
Play supports multiple methods for verifying that a request is not a CSRF request. The primary mechanism is a CSRF token. This token gets placed either in the query string or body of every form submitted, and also gets placed in the user’s session. Play then verifies that both tokens are present and match.
To allow simple protection for non-browser requests, Play checks requests with Cookie
or Authorization
headers by default. You can configure play.filters.csrf.header.protectHeaders
to define headers that must be present to perform the CSRF check. If you are making requests with AJAX, you can place the CSRF token in the HTML page, and then add it to the request using the Csrf-Token
header.
Alternatively, you can set play.filters.csrf.header.bypassHeaders
to match common headers: A common configuration would be:
- If an
X-Requested-With
header is present, Play will consider the request safe.X-Requested-With
is added to requests by many popular Javascript libraries, such as jQuery. - If a
Csrf-Token
header with valuenocheck
is present, or with a valid CSRF token, Play will consider the request safe.
This configuration would look like:
play.filters.csrf.header.bypassHeaders {
X-Requested-With = "*"
Csrf-Token = "nocheck"
}
Caution should be taken when using this configuration option, as historically browser plugins have undermined this type of CSRF defence.
§Trusting CORS requests
By default, if you have a CORS filter before your CSRF filter, the CSRF filter will let through CORS requests from trusted origins. To disable this check, set the config option play.filters.csrf.bypassCorsTrustedOrigins = false
.
§Applying a global CSRF filter
Note: As of Play 2.6.x, the CSRF filter is included in Play’s list of default filters that are applied automatically to projects. See the Filters page for more information.
Play provides a global CSRF filter that can be applied to all requests. This is the simplest way to add CSRF protection to an application. To add the filter manually, add it to application.conf
:
play.filters.enabled += "play.filters.csrf.CSRFFilter"
It is also possible to disable the CSRF filter for a specific route in the routes file. To do this, add the nocsrf
modifier tag before your route:
+ nocsrf
POST /api/new controllers.Api.newThing
§Using an implicit request
All CSRF functionality assumes that a implicit RequestHeader
(or a Request
, which extends RequestHeader
) is available in implicit scope, and will not compile without one available. Examples will be shown below.
§Defining an implicit Request in Actions
For all the actions that need to access the CSRF token, the request must be exposed implicitly with implicit request =>
as follows:
// this actions needs to access CSRF token
def someMethod = Action { implicit request =>
// access the token as you need
Ok
}
That is because the helper methods like CSRF.getToken
access receives the request as an implicit parameter to retrieve CSRF token, for example:
def someAction = Action { implicit request =>
accessToken // request is passed implicitly to accessToken
Ok("success")
}
def accessToken(implicit request: Request[_]) = {
val token = CSRF.getToken // request is passed implicitly to CSRF.getToken
}
§Passing an implicit Request between methods
If you have broken up your code into methods that CSRF functionality is used in, then you can pass through the implicit request from the action:
def action = Action { implicit request =>
anotherMethod("Some para value")
Ok
}
def anotherMethod(p: String)(implicit request: Request[_]) = {
// do something that needs access to the request
}
§Defining an implicit Requests in Templates
Your HTML template should have an implicit RequestHeader
parameter to your template, if it doesn’t have one already, because the CSRF.formField
helper requires one to be passed in (discussed more below):
@(...)(implicit request: RequestHeader)
Since you will typically use CSRF in conjunction with form helpers that require a MessagesProvider
instance, you may want to use MessagesAbstractController
or another controller which provides a MessagesRequestHeader
:
@(...)(implicit request: MessagesRequestHeader)
Or, if you are using a controller with I18nSupport
you can pass in the messages as a separate implicit parameter:
@(...)(implicit request: RequestHeader, messages: Messages)
§Getting the current token
The current CSRF token can be accessed using the CSRF.getToken
method. It takes an implicit RequestHeader
, so ensure that one is in scope.
val token: Option[CSRF.Token] = CSRF.getToken
Note: If the CSRF filter is installed, Play will try to avoid generating the token as long as the cookie being used is HttpOnly (meaning it cannot be accessed from JavaScript). When sending a response with a strict body, Play skips adding the token to the response unless
CSRF.getToken
has already been called. This results in a significant performance improvement for responses that don’t need a CSRF token. If the cookie is not configured to be HttpOnly, Play will assume you wish to access it from JavaScript and generate it regardless.
If you are not using the CSRF filter, you also should inject the CSRFAddToken
and CSRFCheck
action wrappers to force adding a token or a CSRF check on a specific action. Otherwise the token will not be available.
import play.api.mvc._
import play.api.mvc.Results._
import play.filters.csrf._
import play.filters.csrf.CSRF.Token
class CSRFController(components: ControllerComponents, addToken: CSRFAddToken, checkToken: CSRFCheck)
extends AbstractController(components) {
def getToken =
addToken(Action { implicit request =>
val Token(name, value) = CSRF.getToken.get
Ok(s"$name=$value")
})
}
To help in adding CSRF tokens to forms, Play provides some template helpers. The first one adds it to the query string of the action URL:
@import helper._
@form(CSRF(routes.ItemsController.save())) {
...
}
This might render a form that looks like this:
<form method="POST" action="/items?csrfToken=1234567890abcdef">
...
</form>
If it is undesirable to have the token in the query string, Play also provides a helper for adding the CSRF token as hidden field in the form:
@form(routes.ItemsController.save()) {
@CSRF.formField
...
}
This might render a form that looks like this:
<form method="POST" action="/items">
<input type="hidden" name="csrfToken" value="1234567890abcdef"/>
...
</form>
§Adding a CSRF token to the session
To ensure that a CSRF token is available to be rendered in forms, and sent back to the client, the global filter will generate a new token for all GET requests that accept HTML, if a token isn’t already available in the incoming request.
§Applying CSRF filtering on a per action basis
Sometimes global CSRF filtering may not be appropriate, for example in situations where an application might want to allow some cross origin form posts. Some non session based standards, such as OpenID 2.0, require the use of cross site form posting, or use form submission in server to server RPC communications.
In these cases, Play provides two actions that can be composed with your applications actions.
The first action is the CSRFCheck
action, and it performs the check. It should be added to all actions that accept session authenticated POST form submissions:
import play.api.mvc._
import play.filters.csrf._
def save = checkToken {
Action { implicit req =>
// handle body
Ok
}
}
The second action is the CSRFAddToken
action, it generates a CSRF token if not already present on the incoming request. It should be added to all actions that render forms:
import play.api.mvc._
import play.filters.csrf._
def form = addToken {
Action { implicit req =>
Ok(views.html.itemsForm)
}
}
A more convenient way to apply these actions is to use them in combination with Play’s action composition:
import play.api.mvc._
import play.filters.csrf._
class PostAction @Inject() (parser: BodyParsers.Default) extends ActionBuilderImpl(parser) {
override def invokeBlock[A](request: Request[A], block: (Request[A]) => Future[Result]) = {
// authentication code here
block(request)
}
override def composeAction[A](action: Action[A]) = checkToken(action)
}
class GetAction @Inject() (parser: BodyParsers.Default) extends ActionBuilderImpl(parser) {
override def invokeBlock[A](request: Request[A], block: (Request[A]) => Future[Result]) = {
// authentication code here
block(request)
}
override def composeAction[A](action: Action[A]) = addToken(action)
}
Then you can minimize the boiler plate code necessary to write actions:
def save = postAction {
// handle body
Ok
}
def form = getAction { implicit req =>
Ok(views.html.itemsForm)
}
§CSRF configuration options
The full range of CSRF configuration options can be found in the filters reference.conf. Some examples include:
play.filters.csrf.token.name
- The name of the token to use both in the session and in the request body/query string. Defaults tocsrfToken
.play.filters.csrf.cookie.name
- If configured, Play will store the CSRF token in a cookie with the given name, instead of in the session.play.filters.csrf.cookie.secure
- Ifplay.filters.csrf.cookie.name
is set, whether the CSRF cookie should have the secure flag set. Defaults to the same value asplay.http.session.secure
.play.filters.csrf.body.bufferSize
- In order to read tokens out of the body, Play must first buffer the body and potentially parse it. This sets the maximum buffer size that will be used to buffer the body. Defaults to 100k.play.filters.csrf.token.sign
- Whether Play should use signed CSRF tokens. Signed CSRF tokens ensure that the token value is randomised per request, thus defeating BREACH style attacks.
§Using CSRF with compile time dependency injection
You can use all the above features if your application is using compile time dependency injection. The wiring is helped by the trait CSRFComponents that you can mix in your application components cake. For more details about compile time dependency injection, please refer to the associated documentation page.
§Testing CSRF
When rendering, you may need to add the CSRF token to a template. You can do this with import play.api.test.CSRFTokenHelper._
, which enriches play.api.test.FakeRequest
with the withCSRFToken
method:
import play.api.test.Helpers._
import play.api.test.CSRFTokenHelper._
import play.api.test.FakeRequest
import play.api.test.WithApplication
class UserControllerSpec extends Specification {
"UserController GET" should {
"render the index page from the application" in new WithApplication() {
val controller = app.injector.instanceOf[UserController]
val request = FakeRequest().withCSRFToken
val result = controller.userGet().apply(request)
status(result) must beEqualTo(OK)
contentType(result) must beSome("text/html")
}
}
}
Next: Custom Validations