Defeating cross-site request forgery (CSRF) attacks

Cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.

The CRSF protection feature is not supported when the operation mode is offline protection or transparent inspection.

Configuration overview

To protect back-end servers from CSRF attacks, you create two lists of items: a list of web pages to protect against CSRF attacks, and a corresponding list of the URLs found in the requests that the pages generate.

Create your configuration carefully, making sure that all the URLs in the list have corresponding entries in the page list, and that Session Management is enabled in the protection profile that uses the rule. When FortiWeb checks requests for the token but has not added the script to the corresponding web page, it blocks or takes other action against the request.

Examples of requests with the anti-CSRF parameter

For example, a web page in the list of pages contains the following <a href> element:

<a href=/csrf_test1.php>test</a>

This link generates the following request, which includes the parameter that the javascript has added:

Therefore, to make the feature work for this web page, you add /csrf_test1.php to the list of URLs.

For an example using an HTML form element, the web page csrf_login.html contains the following form:

<form name="do_some_action" id="form1" action="csrf_test2.php" method="GET">

<input type="text" name="username" value=""/>

<Input type="text" name="password" value=""/>

<input type="submit" value="do Action"/>


This form generates the following request when the page is added to the list of pages protected by a CSRF protection policy:

In this case, you add csrf_login.html to the list of pages and /csrf_check2.php to the list of URLs.

Parameter filters

In some cases, a request for a web page and the requests generated by its links have the same URL. FortiWeb cannot distinguish between requests to add javascript to and requests to check for the anti-CSRF parameter.

To avoid this issue, you create unique Page List Table and URL List Table items by adding a parameter filter to them. The parameter filter allows you to add additional criteria to match in the URL or HTTP body of a request.

For example, in the following form element, the parameters are in the body of the HTTP request, not the URL:

<form action="post.asp" enctype="MULTIPART/FORM-DATA" method="POST">

<input TYPE="FILE" NAME="FILE1">


<input TYPE="SUBMIT" NAME="SUB1" VALUE="Upload File">


To allow FortiWeb to correctly recognize the POST request as one that should contain the anti-CSRF token, add a filter that checks for a parameter in the HTTP body to the corresponding URL List Table item. If the request for post.asp does not contain the parameter specified in the URL List Table item, FortiWeb can instead match it with a post.asp item in the Page List Table, and adds the javascript to it.

You can also match a parameter in the URL. For example, the request to match has the following URL:


Request TypeSimple String

Full URL/

Parameter Filter – Selected

Parameter Nameusername

Parameter Value TypeRegular Expression

Parameter Value*

The parameter value * (asterix) matches any value.


If the feature is not working properly, ensure the following:

To protect against CSRF attacks

1.  Go to Web Protection > Advanced Protection > CSRF Protection.

2.  Click Create New, then configure these settings:

Setting name Description
Name Enter a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Select which action FortiWeb takes when it detects a missing or incorrect anti-CSRF parameter:

The default value is Alert.

Note: Logging and alert email occur only if the corresponding settings are enabled and configured. See Logging and Alert email.

Block Period

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects a CSRF attack.

This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 60. See also Monitoring currently blocked IPs.


When FortiWeb records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb uses when it logs a CSRF attack:

  • Low
  • Medium
  • High

The default value is Low.

Trigger Action Select the trigger, if any, that FortiWeb uses when it logs or sends an alert email about a CSRF attack. See Viewing log messages.

3.  Click OK.

4.  Under Page List Table, click Create New, and then configure these settings:

Setting name Description
Host Status

Enable to apply this rule only to HTTP requests for specific web hosts. Also configure Host.

Disable to match the rule based on the URL and any parameter filter only.


Select a protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request matches.

This option is available only if Host Status is enabled.

Request Type

Select whether Full URL contains a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).

When you select Regular Expression, you do not have to enter the complete URL for Full URL.

For example, there are two ways you can configure the item to match the URL /

  • For Request Type, select Simple String, and for Full URL, enter /
  • For Request Type, select Regular Expression, and for Full URL, enter test\.com.
Full URL

Enter either a literal URL or regular expression.

Parameter Filter Select to specify a parameter name and value to match. The parameter can be located in either the URL or the HTTP body of a request.

For more information, see Parameter filters.
Parameter Name Enter the parameter name to match.
Parameter Value Type Select whether Parameter Value contains a literal URL (Simple String), or a regular expression designed to match multiple values (Regular Expression).
Parameter Value Enter either a literal URL or regular expression.

To match any parameter value, for Parameter Value Type, select Regular Expression, and enter * (asterisk).

5.  Click OK.

6.  Add any additional web pages that you want to protect.

7.  Under URL List Table, click Create New, and then configure the settings.

The settings for adding a URL list item are the same as the ones that you use to add a page list item.

8.  Click OK.

9.  To apply the rule, in an inline protection profile, ensure Session Management is selected, and then select the CSRF protection rule (see Configuring a protection profile for inline topologies).