CSRF Filter

    To help demonstrate how front-envoy can enforce CSRF policies, we are releasing a docker compose sandbox that deploys a service with both a frontend and backed. This service will be started on two different virtual machines with different origins.

    The frontend has a field to input the remote domain of where you would like to send POST requests along with radio buttons to select the remote domain’s CSRF enforcement. The CSRF enforcement choices are:

    The following documentation runs through the setup of both services.

    Ensure that you have a recent versions of and docker-compose.

    A simple way to achieve this is via the .

    Step 2: Clone the Envoy repo and start all of our containers

    If you have not cloned the Envoy repo, clone it with git clone git@github.com:envoyproxy/envoy or git clone https://github.com/envoyproxy/envoy.git

    Terminal 1 (samesite)

    Terminal 2 (crosssite)

    1. envoy/examples/csrf/crosssite
    2. $ docker-compose up --build -d
    3. $ docker-compose ps
    5.           Name                       Command                State                            Ports
    6. crosssite_front-envoy_1      /bin/sh -c /usr/local/bin/ ... Up      10000/tcp, 0.0.0.0:8002->80/tcp, 0.0.0.0:8003->8001/tcp
    7. crosssite_service_1          /docker-entrypoint.sh /bin ... Up      10000/tcp, 80/tcp

    Step 3: Test Envoy’s CSRF capabilities

    Enter the IP of the samesite machine to demonstrate cross-site requests. Requests with the enabled enforcement will fail. By default this field will be populated with localhost.

    To demonstrate same-site requests open the frontend service for and enter the IP address of the samesite machine as the destination.

    1. $ open "http://localhost:8000"

    Results of the cross-site request will be shown on the page under Request Results. Your browser’s CSRF enforcement logs can be found in the console and in the network tab.

    For example:

    If you change the destination to be the same as one displaying the website and set the CSRF enforcement to enabled the request will go through successfully.

    Step 4: Check stats of backend via admin

    When Envoy runs, it can listen to admin requests if a port is configured. In the example configs, the backend admin is bound to port 8001.

    1. http.ingress_http.csrf.missing_source_origin: 0
    2. http.ingress_http.csrf.request_invalid: 1