Fix Version/s: None
Component/s: Application Security
Liferay has CSRF protection via the p_auth token. There is a lot of information regarding this parameter in wikis, forums, and Q&A, but much of it is out of date. It would be helpful to have official documentation for this feature.
The documentation should probably briefly explain CSRF and the p_auth token and link to OWASP for a more thorough explanation.
The documentation should also explain:
- When the p_auth CSRF protection was first added (meaning which version of Liferay Portal first had the p_auth CSRF protection).
- If the protection is enabled by default (I believe it is).
- When p_auth CSRF protection was first enabled by default (meaning which version of Liferay Portal first had it enabled by default).
- How to disable the p_auth protection (with a lot of cautionary language about why it's dangerous to disable the feature).
- The portlet phases that the p_auth CSRF protection is enabled for (I believe it's just the ACTION_PHASE for now).
- How to use the p_auth token CSRF protection during other phases (such as the RESOURCE_PHASE to secure Ajax forms against CSRF).