Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does the Sitecore.Security.AntiCsrf do and can I disable it on my Content delivery server

We are currently having an issue where some ajax requests to async Controller actions are hanging when an exception is thrown inside the action.

When viewed through the currently executing requests you can see the following information

<REQUEST REQUEST.NAME="c500100080026ded" Url="/url" Verb="GET" Stage="SendResponse" Module="SitecoreAntiCSRF" Time="1602531" SITE.ID="2" WP.NAME="14268" APPPOOL.NAME="AppPool" />

Is the module needed on Content Delivery servers? Can I completely remove it? What would be the implications if I do so?

The version of sitecore: 8 Update-5

like image 251
marto Avatar asked Sep 16 '16 16:09

marto


1 Answers

The module is designed to protect WebForms from CSRF attacks. By default, it is configured to protect Sitecore interfaces (Sitecore shell) only. However, it supports configuration and can be enabled to protect frontend solutions.

Since Sitecore shell site is disabled on Content Delivery servers the module can safely be disabled or completely removed without any implications. If you have Sitecore backend enabled on Content Delivery servers the module can be configured to skip processing requests to some specific locations. Just add a node to Sitecore.AntiCsrf.config file and specify url to filter.

like image 166
user2094638 Avatar answered Sep 23 '22 02:09

user2094638