What are the transparent library will be able to use or something like that easy in order to prevent cross-site request forgery (CSRF) with Perl and Apache? How do i generate tokens for forms and validating them server-side?
To safeguard from "Mix-site request forgery" from server side, it is advisable to:
- Use HTML escape. If you are using some template system like Template Toolkit, you need to use it's escape abilities. If you are using CGI.pm, it's "escapeHTML" sub to get this done.
- Limit existence duration of session snacks to relatively short periods. For CGI::Session it is possible with $session->expire($time).
- Check referer when outputting vulnerable pages.
- Avoid usingOrtake GET request to change data.
Carrying this out is framework specific but simple.
Take a look at what CGI::Application::Plugin::ProtectCSRF does. This module is perfect for the CGI::Application framework.
It should not be way too hard to change the module for other frameworks. Essentially, user forms obtain a hidden HTML area added using the produced token, and also the session object will get exactly the same token. Once the form is posted, the shape-posted token is in comparison towards the token within the session object (that is around the server). When they don't match, a CSRF has likely happened.
There's additionally a Catalyst wordpress plugin: Catalyst::Controller::RequestToken
These modules use attribute handlers so there's hardly any modification needed for your existing application.