Servlet Filter against CSRF --------------------------- Key: JBWEB-141 URL: https://jira.jboss.org/jira/browse/JBWEB-141 Project: JBoss Web Issue Type: Feature Request Security Level: Public(Everyone can see) Reporter: Marc Schoenefeld Assignee: Remy Maucherat Priority: Minor Fix For: JBossWeb-3.0.0.Beta6 Cross-Site scripting and cross-site request forgery attacks are common threat to every web application. So a common solution offered by the http server is helpful to raise the default protection level. A servlet filter will help to a) allow/block requests for a set of XSS regex patterns (per default blacklist suspicious parameter patterns, and optionally whitelist valid requests for well-known applications) b) allow/block requests that fulfil the criteria for being a forged request (failing nonce compare), this will need a javascript helper on the client side, to transparently protect existing applications to provide the shared secret in the session .