This document describees the main security features that are provided by the Marten web framework.
Cross-Site Request Forgery protection
Cross-Site Request Forgery (CSRF) attacks generally involve a malicious website trying to perform actions on a web application on behalf of an already authenticated user.
You should be careful when tweaking those settings and avoid disabling this protection unless this is absolutely necessary.
The CSRF protection provided by Marten is based on the verification of a token that must be provided for each unsafe HTTP request (ie. requests whose methods are not
TRACE). This token is stored in the client cookies and it must be specified when submitting unsafe requests (either in the data itself or using a specific header): if the tokens are not valid, or if the cookie-based token does not match the one provided in the data, then this means that the request is malicious and that it must be rejected.
You can learn about the CSRF protection provided by Marten and the associated tools in the dedicated documentation.
Clickjacking attacks involve a malicious website embedding another unprotected website in a frame. This can lead to users performing unintended actions on the targeted website.
Marten comes with a built-in clickjacking protection mechanism, that involves using a dedicated middleware (the X-Frame-Options middleware). This middleware is always automatically enabled for projects that are generated via the
new management command and, as its name implies, it involves setting the X-Frame-Options header in order to prevent the considered Marten website from being inserted into a frame.
You can learn about the clickjacking protection provided by Marten and the associated tools in the dedicated documentation.
Cross Site Scripting protection
It should be noted that this auto-escaping mechanism can be disabled using a specific filter if needed, but you should be aware of the risks while doing so and ensure that your HTML contents are properly sanitized in order to avoid XSS vulnerabilities.
HTTP Host Header attacks protection
HTTP Host Header attacks happen when websites that handle the value of the Host header (eg. in order to generate fully qualified URLs) trust this header value implicitly and don't verify it.
Marten implements a protection mechanism against this type of attack by validating the Host header against a set of explicitly allowed hosts that must be specified in the
allowed_hosts setting. The X-Forwarded-Host header can also be used to determine the host if the use of this header is enabled (
SQL injection protection
SQL injection attacks happen when a malicious user is able to execute arbitrary SQL queries on a database, which usually occurs when submitting input data to a web application. This can lead to database records being leaked and/or altered.
The query sets API provided by Marten generates SQL code by using query parameterization. This means that the actual code of a query is defined separately from its parameters, which ensures that any user-provided parameter is escaped by the considered database driver before the query is executed.
Content Security Policy
The Content-Security-Policy (CSP) header is a collection of guidelines that the browser follows to allow specific sources for scripts, styles, embedded content, and more. It ensures that only these approved sources are allowed while blocking all other sources.
Marten comes with a built-in Content Security Policy mechanism, that involves using a dedicated middleware (the Content-Security-Policy middleware). This middleware guarantees the presence of the Content-Security-Policy header in the response's headers.
You can learn about the Content-Security-Policy header and how to configure it in the dedicated documentation.