What are the changes?
Before PaperCut 23.0.8, there were 2 config values closely related to CSRF prevention policies inside server.properties, as well as server.properties.tmpl template.
They were:
- server.csrf-check.validate-request-origin and
- server.csrf-check.deny-unknown-origin.
The first item defines whether we should filter every HTTP request coming into the MF server, and compare their origin, or sometimes proxy set up, against the web address of the MF server itself. When enabled, if it is not a perfect match, from scheme to hostname to port number etc, we drop the request and return an error. This value is by default enabled.
The second item defines the behaviour of the server when there is no clear origin information about the incoming request. When enabled, it also blocks all requests with no clear origin information. This value is also by default enabled.
As of PaperCut 23.0.8, these 2 values have been moved into security.properties and its related template files as of PaperCut 23.0.8. Now they appear under slightly new names:
- security.csrf-check.validate-request-origin and
- security.csrf-check.deny-unknown-origin.
The way they work remain exactly the same as their predecessors.
Along with these 2 values, we have introduced a third value into security.properties.
It is “security.csrf-check.allowed-domain-list”.
Unlike the previous 2 items that expect a “Y” or “N” value, while defaulting to “Y”, this value expects a string value as specific as possible about a known and legitimate source that may send POST requests to the PaperCut server. It accepts multiple semicolon (;) separated values as one string.
For example, if you reasonably expect a domain such as “ paypal.com ” will send POST requests to your app server, because you are running a PayPal Payment Gateway module on your app server, you may add “ paypal.com ” (without the double quotes) to the key. If you also expect “ nelnet.com ” to send POST requests to your server, you may enter the value as “ paypal.com ; nelnet.com ”.
By doing so, even if the “security.csrf-check.validate-request-origin” key has been enabled, requests from defined external domains may still come through. This config value allows all the incoming traffic coming from domains that end with at least one of the semicolon separated values.
For example, if its value is “ paypal.com ; nelnet.com ”, then requests from all these hosts will come through:
- accounts. nelnet.com
- e. paypal.com and so on.
However, a request from the host called “ paypals.com ” will be blocked, as will a request from a host called “ nelnet.com.us ”, because the rule is the request must come from a domain that ends with one of the configured domains.
Therefore, it is in your best interest to make these domains as specific as possible, to limit which specific hosts can send POST requests to your PaperCut server.
Another important rule is that these semicolon separated values must be equal to or more than 5-character long to take effect. For example:
- .com will not work as an “allowed domain” because it only has 4 characters in it.
This is because too many domains would fit this criteria, making this configuration unpractical and unsafe.
By default, it has an empty value, this is when it does not make any exceptions for external hosts to send POST requests to your MF server.
Comments