Web Interface Settings; Protection Against Cross-Site Request Forgery - Konftel 800 Installation & Administration

MAINTENANCE

Web interface settings

The web server in Konftel 800 supports secure connections using HTTPS. You
can configure this parameter only through the web interface.
The phone supports connection to the web interface only through https.
The following table shows the web interface settings that you can configure for
Konftel 800 in the
Name
Secure HTTP
Webapp HTTPs
Certificate
You can use the following command to generate a HTTPS web interface
certificate:
openssl req –new –x509 –keyout https _ web _ certificate.pem –out
https _ web _ certificate.pem –day <number of days>-nodes

Protection against cross-site request forgery

When the user logs in to the web interface of Konftel 800 with the administrator
password, the web application of the phone uses specific tokens to protect against
Cross-Site Request Forgery (CSRF) attacks.
CSRF is an attack that tricks the user into submitting a malicious request. The
attacker takes the identity and privileges of the user to make undesired actions on
the user's behalf. CSRF attacks target functionality that causes a state change, for
example changing the user's password. If the user stays authenticated to the
website during the attack, the website can not distinguish between forged and
legitimate requests.
Konftel 800 generates a new CSRF token on each request. Each link or parameter
change in the web interface needs to have a CSRF token as a request parameter.
The web application checks if the token in the request is the correct one. For
example, if the attacker copies an existing link from the open web interface of
tab:
Provisioning
Description
To upload a .PEM certificate to Konftel 800 to use HTTPS.
Konftel 800 supports certificates in the .PEM format
only. You must convert the certificates and private keys
to .PEM before using in the phone. For more
information, see
format on page 77
Converting the certificates to .PEM
144