From: Olivier Houchard Date: Wed, 15 Jul 2026 14:40:27 +0000 (+0200) Subject: DOC: stats: Document that stats admin is vulnerable to a CSRF attack X-Git-Url: http://git.kaiwu.me/http/$%7BGITURL%7D//%22%22?a=commitdiff_plain;h=8233bf64dfd6c4a2cfd26f2789d0cbad4600f2a5;p=haproxy.git DOC: stats: Document that stats admin is vulnerable to a CSRF attack Document that stats admin is vulnerable to a CSRF attack that can't be totally mitigated, so if that feature really has to be used, precautions must be taken. This should be backported up to 2.6. Many thanks to Red Hat and AISLE Research for reporting this. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index e1c5b0e8b..1efb97d5a 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12767,6 +12767,14 @@ stats admin { if | unless } request won't be processed. It is recommended to alter few servers at a time. + Those admin POST requests are prone to CSRF attacks. This is partially + mitigated by checking that the Origin (or Referer if no Origin is present) + matches the Host header, but this is not enough to totally prevent the + attack. + There is no way to be completely protected from those. It is recommended + to avoid exposing it on a public interface, and to restrict who can + access it. + Example : # statistics admin level only for localhost backend stats_localhost