Compatibility for CSRF protection & Cloudflare full HTML page caching

[eva2000]

I'm curious if there's any better way for CSRF protection that would work with Cloudflare or other CDN's guest full HTML page caching which uses cookies to differentiate between logged in/logged out guest users?

The issue that arises with Xenforo 2.x in CSRF and full page HTML caching is similar to the one outlined by Cloudflare for Magento and includes the workaround Magento did at https://blog.cloudflare.com/the-curious-case-of-caching-csrf-tokens/. Easy work around for register/login, guest posting and guest search and contact links can be made. But a better solution would be nice like the one outlined in Cloudflare blog

from https://blog.cloudflare.com/the-curious-case-of-caching-csrf-tokens/

There's quite a lengthy Github thread which outlines this issue and references the Pull Requests which fixed this behaviour in the the Magento Turpentine plugin. I won't repeat the set-up instructions here, but they can be found in an article I've written on the Cloudflare Knowledge Base: Caching Static HTML with Magento (version 1 & 2)

Effectively what happens here is that the dynamic CSRF token is only injected into the web page the moment that it's needed. This is actually the behaviour that's implemented in other e-commerce platforms and Magento 2.0+, allowing Full Page Caching to be implemented quite easily. We had to recommend this plugin as it wouldn't be practical for the site owner to simply update to Magneto 2.

and https://support.cloudflare.com/hc/e...Caching-Static-HTML-with-Magento-version-1-2-

Most Secure: The best alternative is to use AJAX to dynamically fill in the value of the CSRF token in your Magento site. When a user clicks the button to add something to their cart, some JavaScript jumps in to update the CSRF token in the forms to match the user’s session. This can enable most of the page to be served from cache but will still require a request back to the origin to fetch the token.

Edit: seems like a compromise is to have an option in Admin which can globally turn off overlays for guest visitor clicked on login, register, contact, search, and guest post thread link/buttons. So that they aren't done on the cached HTML page but redirected to a separate HTML which can be excluded from cache path etc.

 

[Recep Baltaş]

Did someone say Cloudflare? Count me in. In fact, XF should talk with CF to have an official XenForo add-on just like Wordpress APO.

 

[Joe Link]

XF should talk with CF to have an official XenForo add-on just like Wordpress APO

They really should.

 

[Alpha1]

Yes, we need not only this, but a comprehensive cloudflare integration.
Cloudflare is essential infrastructure for our security, site speed, SSL, blocking spam bots and more. It would be very beneficial if XF would have advanced integration including, CRSF protection, firewall rules, page caching & ESI, CF Images support and usergroup integration so that ranking members can bypass captcha when under attack.

 

[Recep Baltaş]

BTW, we also need an official Google plugin for XenForo! XenForo is THE forum software now and Google needs to have an official XF add-on just like their Site Kit add-on for Wordpress.

 

[Alpha1]

I dont think you can compare XF volume to WP volume.

XenForo is THE forum software now

how is XF doing in term of customers compared to other platforms?

Remember when vBulletin was over 75%? Is the total conserved in those plots (or do some sites drop out)? If it's conserved, then with most others flat since 2019, it suggests XF is eating away at VB quite significantly...

xenforo.com

 

[digitalpoint]

Did someone say Cloudflare? Count me in. In fact, XF should talk with CF to have an official XenForo add-on just like Wordpress APO.

Cloudflare has an API that covers all it's functionality, so it's certainly not an impossible task.

Also, this (haha):

 

[Ozzy47]

Also, this (haha):

We want this!!!

 

[Recep Baltaş]

Cloudflare has an API that covers all it's functionality, so it's certainly not an impossible task.

Also, this (haha):
View attachment 265473

Here is a forward looking gentleman. And here is your second customer

 

[eva2000]

Also, this (haha):

Need to peak under your sleeves, what have you been hiding?

 

[digitalpoint]

Need to peak under your sleeves, what have you been hiding?

It's nothing too exciting. It also doesn't completely work (it's been a work on it once in awhile thing... not exactly a high priority).

Managing settings in the XF admin area does work (as you can see from screenshot, I left out descriptions on everything because it was too much screen real estate, was intended just for myself and if you don't know what something is in Cloudflare, you shouldn't be messing with it.. hah)

The admin navigation has some section stubbed out to remind me I need to do them, but they aren't functional yet (Firewall, Access and Page Rule management). I want Access to be able to auto-configure itself how I use it for XenForo, same with Page Rules (like forcing Cloudflare to cache XF's CSS since it's not a cacheable extension by default). Maybe do some Firewall trickery where you could block spammer IPs automatically for a period of time (like maybe unblock after 48 hours so you aren't left with thousands of stale Firewall rules in Cloudflare after years).

I do some other stuff with the Cloudflare API (like checking web server health and automatically changing DNS appropriately if you are manually taking down Nginx via ExecStop function for Nginx in systemd). Basically if Nginx is being stopped for any reason systemd will first check to make sure that server isn't serving requests and if it is, make appropriate Cloudflare DNS changes so it no longer is before Nginx stops. Some of that, I might be able to roll into the add-on, but we'll see.

 

[fionix]

Now we just need what you made as ADD ON for Xenforo. Anyway, most if not all of it can be handled directly in the Cloudflare control panel, or do I miss something here?

 

[digitalpoint]

Now we just need what you made as ADD ON for Xenforo. Anyway, most if not all of it can be handled directly in the Cloudflare control panel, or do I miss something here?

Ya... it doesn't magically add new Cloudflare functionality. It just makes management a little simpler. Once Cloudflare stuff is setup (even if done directly on Cloudflare's dashboard), it's rare you need to change anything.

There's a couple things I want to do that go beyond "set and forget" configuration though... like the ability to add IPs to Cloudflare Firewall and then have those rules automatically expire after a period of time. Could also do something like monitor server load and automatically set "Security Level" based on that load... Like if your server load is over 100, might be worthwhile to set the "Under Attack" mode automatically (as an example).

Being able to set Development Mode and flush the Cloudflare cache from XenForo admin definitely is handy though.

 

[fionix]

You have some real good points there, do you consider to make your work as an ADD ON ?

 

[Forsaken]

You have some real good points there, do you consider to make your work as an ADD ON ?

It is an add-on, but it is in development, and he doesn't have to release it.

 

[digitalpoint]

As @Forsaken pointed out, it is already an add-on. The primary intention of it is just for internal use. Maybe someday if it's ever done, I'll turn it over to another dev because honestly I don't have enough time in the day for my own projects, so trying to support other people is totally outside the scope of what I have time for. Trying to explain to an upset site owner how to fix their site after they turned on Rocket Loader isn't really something that sounds like a fun time to me (and since I don't have enough hours in the day for my own projects, not sure why I would want to take on more problems that aren't my own.. hah)

 

[Ozzy47]

As @Forsaken pointed out, it is already an add-on. The primary intention of it is just for internal use. Maybe someday if it's ever done, I'll turn it over to another dev because honestly I don't have enough time in the day for my own projects, so trying to support other people is totally outside the scope of what I have time for. Trying to explain to an upset site owner how to fix their site after they turned on Rocket Loader isn't really something that sounds like a fun time to me (and since I don't have enough hours in the day for my own projects, not sure why I would want to take on more problems that aren't my own.. hah)

I wouldn’t mind trying to support it if you want it released at some point.

 

[digitalpoint]

I went ahead and released the Cloudflare addon, in case anyone was interested (and uses Cloudflare):

[DigitalPoint] App for Cloudflare®

Features Everything is available from within XenForo (you do not need to go to Cloudflare for things) via the Cloudflare API. This allows you give admins permission to do certain things (for example block IP addresses within Cloudflare without...

xenforo.com

 

[Kirby]

Not strictly related to Cloudflare, though it would indeed be nice if there was an option to disable CSRF token checks for modern browsers.

Protect your resources from web attacks with Fetch Metadata | Articles | web.dev

Fetch Metadata is a new web platform feature designed to allow servers to protect themselves from cross-origin attacks.

web.dev

This could make caching full HTML (not only with CloudFlare) quite a bit easier.

 

[digitalpoint]

Not strictly related to Cloudflare, though it would indeed be nice if there was an option to disable CSRF checks for modern browsers.

Protect your resources from web attacks with Fetch Metadata | Articles | web.dev

Fetch Metadata is a new web platform feature designed to allow servers to protect themselves from cross-origin attacks.

web.dev

This could make caching full HTML (not only with CloudFlare) quite a bit easier.

10000% onboard with this.