Module Id

jahia-csrf-guard

Group Id

org.jahia.modules

Updated

2024-04-30

Requires Jahia

8.1.6.0

Author

JSG

Jahia CSRF Guard

security

Download (4.0.0)

View older versions

Versions

Previous versions

3.4.0

Published

Improvements

Upgraded csrfguard to 4.3.0 to add support for multiple domain origin

Requires Jahia: version-8.0.3.0 - Updated: 2023-06-14

3.3.0

Published

Bug fixes

Improved the header check to prevent polluting errors in Chrome

Requires Jahia: version-8.0.3.0 - Updated: 2023-03-22

3.2.0

Published

In case you're using the Distributed Sessions module, please read the following:

If you are using the distributed-session module, you need to update it to version 3.4.0+ when updating to CSRF Guard 3.2.0, as CSRF Guard 3.2.0 is not compatible with distributed sessions 3.3. Both modules updates will require the restart of the cluster nodes. Note that jahia-csrf-guard 3.2.0 does not depend to distributed-session module anymore (since version 3.4.0)

Improvements

Updated the token holder to store the tokens in the session
Minified CSRFGuard template javascript to save space

Requires Jahia: version-8.0.3.0 - Updated: 2022-11-09

3.1.0

Published

In case you're using the Distributed Sessions module, please read the following:

Note that jahia-csrf-guard 3.0.0 & 3.1.0 have a hard dependency to at least version 3.3.0 of the distributed-session module. So you may need to upgrade also distributed-sessions. Both modules updates will require the restart of the cluster nodes. More details here.

Also note that as version 3.3.0 of the distributed-session module is only compatible with Jahia 8.1.0+, you cannot use jahia-csrf-guard 3.0.0 with Jahia versions prior to 8.1.0.

Bug fixes

Fixed possible truncated response when adding CSRF snippet
Made CSRFguard work with multipart content requests

Requires Jahia: version-8.0.3.0 - Updated: 2022-09-07

3.0.0

Published

Upgraded OWASP csrfguard from 3.1.0 to csrfguard 4.1.4
Allowed TokenPerPage to be configured (more details here)

Requires Jahia: version-8.0.3.0 - Updated: 2022-06-16

2.4.0

Published

Added possibility to set CSRFGuard properties (see Academy page)
Changed module-type of jahia-csrf-guard to "system"
Removed csrf token from error.html pages

Requires Jahia: version-8.0.0.0 - Updated: 2022-03-10

2.3.0

Published

Fixed issue with filtering not applied on SEO urls

Requires Jahia: version-8.0.0.0 - Updated: 2021-10-28

2.2.0

Published

Fixed incompatibility with IE11

Requires Jahia: version-8.0.0.0 - Updated: 2021-06-03

2.1.0

Published

Fixed actions being blocked due to not finding proper CSRFGuard token

Requires Jahia: version-8.0.0.0 - Updated: 2021-02-03

2.0.0

Published

Added CSRF tokens to secure the Core actions

Requires Jahia: version-8.0.0.0 - Updated: 2020-08-31

1.5.0

Published

Added possibility to set CSRFGuard properties (see Academy page)
Changed module-type of jahia-csrf-guard to "system"
Removed csrf token from error.html pages

Requires Jahia: version-7.2.3.1 - Updated: 2022-01-27

1.4.0

Published

Fixed issue with filtering not applied on SEO urls

Requires Jahia: version-7.2.3.1 - Updated: 2021-09-24

1.3.0

Published

Fixed CSRF guard module incompatibility with IE11

Requires Jahia: version-7.2.3.1 - Updated: 2021-05-17

1.2.0

Published

Fixed issue with CSRF Guard on Websphere by adding an alternative configuration
Fixed actions being blocked due to not finding proper CSRFGuard token
Fixed CSRFGuard to register the JavaScriptServlet as servlet (Websphere)

Requires Jahia: version-7.2.3.1 - Updated: 2021-02-22

1.1.1

Published

Fixed issue on Websphere by adding an alternative configuration

Requires Jahia: version-7.2.3.1 - Updated: 2020-10-01

1.1.0

Published

Jahia CSRF Guard module for Jahia 7.x

Requires Jahia: version-7.2.3.1 - Updated: 2020-09-29

This module will add CSRF token protection on all calls to a Jahia Action. It's based on the OWASP CSRFGuard library.

Dependencies & Dependants

Dependencies

NONE

Dependants

NONE

Changelog 4.0.0

Breaking changes

No breaking changes are present in v4.0.0

Improvements

Activated CSRF TokenPerPage by default
Added current session's user in the logs
Improved filtering of actions (.do) by checking the end of the url

Bug fixes

Fixed an issue when calling Jahia actions related to a token not found
Fixed the domain check that was corrupted during minification

FAQ

See https://academy.jahia.com/training-kb/knowledge-base/csrf-error-on-custom-action

Jahia CSRF Guard check_circle

Dependencies & Dependants

Changelog 4.0.0

Breaking changes

Improvements

Bug fixes

FAQ

Jahia CSRF Guard