From 8233bf64dfd6c4a2cfd26f2789d0cbad4600f2a5 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Wed, 15 Jul 2026 16:40:27 +0200 Subject: [PATCH] DOC: stats: Document that stats admin is vulnerable to a CSRF attack Document that stats admin is vulnerable to a CSRF attack that can't be totally mitigated, so if that feature really has to be used, precautions must be taken. This should be backported up to 2.6. Many thanks to Red Hat and AISLE Research for reporting this. --- doc/configuration.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index e1c5b0e8b..1efb97d5a 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12767,6 +12767,14 @@ stats admin { if | unless } request won't be processed. It is recommended to alter few servers at a time. + Those admin POST requests are prone to CSRF attacks. This is partially + mitigated by checking that the Origin (or Referer if no Origin is present) + matches the Host header, but this is not enough to totally prevent the + attack. + There is no way to be completely protected from those. It is recommended + to avoid exposing it on a public interface, and to restrict who can + access it. + Example : # statistics admin level only for localhost backend stats_localhost -- 2.47.3