Compatibility for CSRF protection & Cloudflare full HTML page caching

eva2000

Well-known member
I'm curious if there's any better way for CSRF protection that would work with Cloudflare or other CDN's guest full HTML page caching which uses cookies to differentiate between logged in/logged out guest users?

The issue that arises with Xenforo 2.x in CSRF and full page HTML caching is similar to the one outlined by Cloudflare for Magento and includes the workaround Magento did at https://blog.cloudflare.com/the-curious-case-of-caching-csrf-tokens/. Easy work around for register/login, guest posting and guest search and contact links can be made. But a better solution would be nice like the one outlined in Cloudflare blog :)

from https://blog.cloudflare.com/the-curious-case-of-caching-csrf-tokens/

There's quite a lengthy Github thread which outlines this issue and references the Pull Requests which fixed this behaviour in the the Magento Turpentine plugin. I won't repeat the set-up instructions here, but they can be found in an article I've written on the Cloudflare Knowledge Base: Caching Static HTML with Magento (version 1 & 2)

Effectively what happens here is that the dynamic CSRF token is only injected into the web page the moment that it's needed. This is actually the behaviour that's implemented in other e-commerce platforms and Magento 2.0+, allowing Full Page Caching to be implemented quite easily. We had to recommend this plugin as it wouldn't be practical for the site owner to simply update to Magneto 2.

and https://support.cloudflare.com/hc/e...Caching-Static-HTML-with-Magento-version-1-2-

Most Secure: The best alternative is to use AJAX to dynamically fill in the value of the CSRF token in your Magento site. When a user clicks the button to add something to their cart, some JavaScript jumps in to update the CSRF token in the forms to match the user’s session. This can enable most of the page to be served from cache but will still require a request back to the origin to fetch the token.


Edit: seems like a compromise is to have an option in Admin which can globally turn off overlays for guest visitor clicked on login, register, contact, search, and guest post thread link/buttons. So that they aren't done on the cached HTML page but redirected to a separate HTML which can be excluded from cache path etc.
 
Last edited:
Upvote 25
Yes, we need not only this, but a comprehensive cloudflare integration.
Cloudflare is essential infrastructure for our security, site speed, SSL, blocking spam bots and more. It would be very beneficial if XF would have advanced integration including, CRSF protection, firewall rules, page caching & ESI, CF Images support and usergroup integration so that ranking members can bypass captcha when under attack.
 
Last edited:
Also, this (haha):

We want this!!!
throw money GIF by Sixt
 
Need to peak under your sleeves, what have you been hiding? :D
It's nothing too exciting. It also doesn't completely work (it's been a work on it once in awhile thing... not exactly a high priority).

Managing settings in the XF admin area does work (as you can see from screenshot, I left out descriptions on everything because it was too much screen real estate, was intended just for myself and if you don't know what something is in Cloudflare, you shouldn't be messing with it.. hah)

The admin navigation has some section stubbed out to remind me I need to do them, but they aren't functional yet (Firewall, Access and Page Rule management). I want Access to be able to auto-configure itself how I use it for XenForo, same with Page Rules (like forcing Cloudflare to cache XF's CSS since it's not a cacheable extension by default). Maybe do some Firewall trickery where you could block spammer IPs automatically for a period of time (like maybe unblock after 48 hours so you aren't left with thousands of stale Firewall rules in Cloudflare after years).

I do some other stuff with the Cloudflare API (like checking web server health and automatically changing DNS appropriately if you are manually taking down Nginx via ExecStop function for Nginx in systemd). Basically if Nginx is being stopped for any reason systemd will first check to make sure that server isn't serving requests and if it is, make appropriate Cloudflare DNS changes so it no longer is before Nginx stops. Some of that, I might be able to roll into the add-on, but we'll see.

1646328148802.webp

cloudflare.webp
 
Now we just need what you made as ADD ON for Xenforo. Anyway, most if not all of it can be handled directly in the Cloudflare control panel, or do I miss something here?
 
Now we just need what you made as ADD ON for Xenforo. Anyway, most if not all of it can be handled directly in the Cloudflare control panel, or do I miss something here?
Ya... it doesn't magically add new Cloudflare functionality. It just makes management a little simpler. Once Cloudflare stuff is setup (even if done directly on Cloudflare's dashboard), it's rare you need to change anything.

There's a couple things I want to do that go beyond "set and forget" configuration though... like the ability to add IPs to Cloudflare Firewall and then have those rules automatically expire after a period of time. Could also do something like monitor server load and automatically set "Security Level" based on that load... Like if your server load is over 100, might be worthwhile to set the "Under Attack" mode automatically (as an example).

Being able to set Development Mode and flush the Cloudflare cache from XenForo admin definitely is handy though. :)
 
As @Forsaken pointed out, it is already an add-on. The primary intention of it is just for internal use. Maybe someday if it's ever done, I'll turn it over to another dev because honestly I don't have enough time in the day for my own projects, so trying to support other people is totally outside the scope of what I have time for. Trying to explain to an upset site owner how to fix their site after they turned on Rocket Loader isn't really something that sounds like a fun time to me (and since I don't have enough hours in the day for my own projects, not sure why I would want to take on more problems that aren't my own.. hah)
 
As @Forsaken pointed out, it is already an add-on. The primary intention of it is just for internal use. Maybe someday if it's ever done, I'll turn it over to another dev because honestly I don't have enough time in the day for my own projects, so trying to support other people is totally outside the scope of what I have time for. Trying to explain to an upset site owner how to fix their site after they turned on Rocket Loader isn't really something that sounds like a fun time to me (and since I don't have enough hours in the day for my own projects, not sure why I would want to take on more problems that aren't my own.. hah)

I wouldn’t mind trying to support it if you want it released at some point.
 
I went ahead and released the Cloudflare addon, in case anyone was interested (and uses Cloudflare):

 
Not strictly related to Cloudflare, though it would indeed be nice if there was an option to disable CSRF token checks for modern browsers.


This could make caching full HTML (not only with CloudFlare) quite a bit easier.
 
Last edited:
Top Bottom