WebMail Lite Documentation

CSRF protection

In version 8.3.5 of WebMail Lite, we have rewritten CSRF protection. This protection is enabled by default, but it may require additional configuration of your webserver. One of the indicators is the following message:

Cookies need to be updated. To continue, please click here or reload this page.

Typical reason is that web server is not configured for sending authentication headers through. To work around that, we're now shipping the product package with .htaccess file containing the following lines:

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

NB: This file assumes that you're running Apache web server and mod_rewrite module is enabled for it. If you're getting Error 500 when accessing WebMail Lite installation, make sure mod_rewrite is enabled. Depending on your web server configuration, you may need to make changes to its main configuration file or virtual host definition.

(On a sidenote, the same .htaccess file includes configuration directives protecting data directory from external access - so if .htaccess file doesn't affect webserver configuration for some reason, it's strongly recommended to look into that.)

If you wish to be certain that CSRF protection is working on your installation, download a test file, unpack it into root folder of WebMail Lite installation and open it in a different tab of the same web browser you have WebMail Lite open and logged into. If all the lines in the report text are green, that means CSRF protection test is completed successfully.

If you're having troubles reconfiguring your environment to make CSRF protection work, you can disable it by setting CsrfTokenProtection to false in data/settings/modules/Core.config.json configuration file.
(Not Recommended! Do at your own risk!)