Aller au contenu principal
Jahia Store
FR

Jahia CSRF Guard

supported
Télécharger 4.2.0

Informations

Identifiant du module
jahia-csrf-guard
Identifiant de groupe
org.jahia.modules
Statut
supported
Catégorie
Security
Auteur
JSG
Site web du développeur
http://www.jahia.com
Nécessite Jahia
8.1.7.0
Mis à jour
2026-07-09
Source
scm:git:git@github.com:Jahia/jahia-csrf-guard.git
Étiquettes
  • security

This module will add CSRF token protection on all calls to a Jahia Action. It's based on the OWASP CSRFGuard library.

Versions

Improvements

  • CSRF Guard is now disabled by default for unauthenticated users (guest). In most cases, CSRFGuard is not necessary when users are not authenticated, but if you need to change that behavior, it can be enabled using the jahia.csrf-guard.bypassForGuest property (true by default).
  • Updated the module to OWASP www-project-csrfguard v4.5.0 (latest version at the time of release). Notable changes include:
    • Improve URL normalization to allows URLs with protocol and server name
    • Introduced a tag mechanism to support client-side caching of jahia-csrf-guard's javascript
  • Replaced 'unload' event usage by 'pagehide' for registering cleanup operations, which helps improve pagespeed scores
  • Updated the module to use console.debug() instead of alert() to lower end-user disruptions

Misc

  • Removed unused dependency and upgraded jahia parent to 8.1.7.0
  • Removed Spring bean definition to migrate to OSGI including configuration 
  • Updated comments explaining usage of cacheControlTagged in csrfguard-jahia.properties file
Nécessite Jahia 8.1.7.0Mis à jour 2025-05-12

Bug fixes

  • Fixed an issue with multi domain validation 
Nécessite Jahia 8.1.6.0Mis à jour 2025-01-30

Breaking changes

  • No breaking changes are present in v4.0.0

Improvements

  • Activated CSRF TokenPerPage by default
  • Added current session's user in the logs
  • Improved filtering of actions (.do) by checking the end of the url

Bug fixes

  • Fixed an issue when calling Jahia actions related to a token not found
  • Fixed the domain check that was corrupted during minification
Nécessite Jahia 8.1.6.0Mis à jour 2024-07-29

Improvements

  • Upgraded csrfguard to 4.3.0 to add support for multiple domain origin
Nécessite Jahia 8.0.3.0Mis à jour 2023-06-15

Bug fixes

  • Improved the header check to prevent polluting errors in Chrome
Nécessite Jahia 8.0.3.0Mis à jour 2023-03-24
In case you're using the Distributed Sessions module, please read the following:

If you are using the distributed-session module, you need to update it to version 3.4.0+ when updating to CSRF Guard 3.2.0, as CSRF Guard 3.2.0 is not compatible with distributed sessions 3.3. Both modules updates will require the restart of the cluster nodes. Note that jahia-csrf-guard 3.2.0 does not depend to distributed-session module anymore (since version 3.4.0)

Improvements

  • Updated the token holder to store the tokens in the session
  • Minified CSRFGuard template javascript to save space
Nécessite Jahia 8.0.3.0Mis à jour 2022-11-16
In case you're using the Distributed Sessions module, please read the following:

Note that jahia-csrf-guard 3.0.0 & 3.1.0 have a hard dependency to at least version 3.3.0 of the distributed-session module. So you may need to upgrade also distributed-sessions. Both modules updates will require the restart of the cluster nodes. More details here.

Also note that as version 3.3.0 of the distributed-session module is only compatible with Jahia 8.1.0+, you cannot use jahia-csrf-guard 3.0.0 with Jahia versions prior to 8.1.0.

Bug fixes

  • Fixed possible truncated response when adding CSRF snippet
  • Made CSRFguard work with multipart content requests
Nécessite Jahia 8.0.3.0Mis à jour 2022-11-16
  • Upgraded OWASP csrfguard from 3.1.0 to csrfguard 4.1.4
  • Allowed TokenPerPage to be configured (more details here)
Nécessite Jahia 8.0.3.0Mis à jour 2022-06-23
  • Added possibility to set CSRFGuard properties (see Academy page)
  • Changed module-type of jahia-csrf-guard to "system"
  • Removed csrf token from error.html pages
Nécessite Jahia 8.0.0.0Mis à jour 2022-03-11
  • Fixed issue with filtering not applied on SEO urls
Nécessite Jahia 8.0.0.0Mis à jour 2021-11-04
  • Fixed incompatibility with IE11
Nécessite Jahia 8.0.0.0Mis à jour 2021-06-17
  • Fixed actions being blocked due to not finding proper CSRFGuard token
Nécessite Jahia 8.0.0.0Mis à jour 2021-02-05
  • Added CSRF tokens to secure the Core actions
Nécessite Jahia 8.0.0.0Mis à jour 2020-09-04
  • Added possibility to set CSRFGuard properties (see Academy page)
  • Changed module-type of jahia-csrf-guard to "system"
  • Removed csrf token from error.html pages
Nécessite Jahia 7.2.3.1Mis à jour 2022-03-10
  • Fixed issue with filtering not applied on SEO urls
Nécessite Jahia 7.2.3.1Mis à jour 2021-10-05
  • Fixed CSRF guard module incompatibility with IE11
Nécessite Jahia 7.2.3.1Mis à jour 2021-05-28
  • Fixed issue with CSRF Guard on Websphere by adding an alternative configuration
  • Fixed actions being blocked due to not finding proper CSRFGuard token
  • Fixed CSRFGuard to register the JavaScriptServlet as servlet (Websphere)
Nécessite Jahia 7.2.3.1Mis à jour 2021-02-22
  • Fixed issue on Websphere by adding an alternative configuration
Nécessite Jahia 7.2.3.1Mis à jour 2020-10-01

Jahia CSRF Guard module for Jahia 7.x

Nécessite Jahia 7.2.3.1Mis à jour 2020-09-29