Implementing CSRF Protection in Odoo: Understanding Your Defenses

CSRF (Cross-Site Request Forgery) tricks authenticated users into executing unauthorized actions by submitting malicious requests using their session. Attack flow: (1) User logs into Odoo (authenticated with session cookie), (2) User clicks phishing email link to attacker's site, (3) Attacker's site contains hidden form targeting your Odoo (<form action="https://your-odoo.com/api/orders/delete"> with order_id=12345), (4) Form auto-submits using JavaScript, (5) Browser automatically sends user's session cookie with request, (6) Odoo sees valid session and processes request (thinks it's legitimate), (7) Order deleted without user authorization. Why it works: Browser automatically includes cookies with all requests to the domain, server can't distinguish between legitimate user-initiated request and attacker-initiated request if only checking session cookie. Real D2C impact: Customer viewing orders clicks "package tracking" phishing link, attacker's form deletes orders or changes delivery address using customer's session = data corruption, trust loss, customer frustration.

Odoo auto-generates unique CSRF tokens per session, embeds them in forms, and validates on submission - zero code needed. Token flow: (1) Server generates random unpredictable token ("abc123def456...") when session starts, (2) Stores token in session memory, (3) Automatically embeds token in all forms (<input type="hidden" name="csrf_token" value="abc123...">), (4) Legitimate user submits form with embedded token, (5) Server validates: form token matches session token? Yes ✓ = accept request, (6) Attacker submits malicious form without token (can't know the random session-specific token), (7) Server validates: token missing or wrong? No ✗ = reject request. Why attackers fail: Token is random (unpredictable), session-specific (different per user), not accessible cross-origin (attacker can't read it from their site). Odoo implementation: request.csrf_token() in QWeb templates, odoo.web.csrf_token in JavaScript, X-CSRF-Token header for AJAX. Result: 100% automatic protection, developers do nothing, all state-changing requests (POST/PUT/DELETE) validated.

Only disable CSRF for external integrations (webhooks, mobile APIs) that cannot include tokens, and MUST implement alternative security. Valid reasons: (1) Payment gateway webhooks (Stripe, PayPal send POST requests, can't include your session token), (2) Public APIs with no authentication required, (3) Mobile apps using API keys or JWT instead of sessions. How to disable safely: @http.route('/webhook/payment', csrf=False) BUT implement alternatives: (a) Signature verification for webhooks (hmac.compare_digest(received_signature, expected_signature) using shared secret), (b) JWT token validation for mobile apps (jwt.decode with secret key), (c) API key authentication, (d) Rate limiting (prevent brute force), (e) IP whitelisting (restrict to known IPs). CRITICAL rule: NEVER use csrf=False without implementing alternative security. Common mistake: Disabling CSRF for convenience without alternatives = massive security hole = accounts hijacked, unauthorized transactions, $200k-$1M damages. Correct pattern: Forms and AJAX use CSRF (default), webhooks use csrf=False + signature verification, mobile APIs use csrf=False + JWT tokens.

Get token from page or Odoo core, include in X-CSRF-Token header for all AJAX requests. Method 1 (from page): var csrfToken = document.querySelector('input[name="csrf_token"]').value; reads hidden input auto-embedded by Odoo in forms. Method 2 (from core): var csrfToken = odoo.web.csrf_token; accesses token from Odoo JavaScript core. Include in request: fetch('/api/orders/create', {method: 'POST', headers: {'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken}, body: JSON.stringify({name: 'Order', amount: 1000})}). jQuery AJAX: $.ajax({url: '/api/orders', type: 'POST', headers: {'X-CSRF-Token': csrfToken}, data: {...}}). Axios: axios.post('/api/orders', data, {headers: {'X-CSRF-Token': csrfToken}}). Server validation: Odoo automatically checks X-CSRF-Token header on all POST/PUT/DELETE requests, rejects if missing or invalid. Common error: Forgetting to include token in AJAX = 400 Bad Request "Session expired" even though session is valid. Solution: Always include X-CSRF-Token header in state-changing AJAX calls.

Use HMAC signature verification with shared secret to validate webhook authenticity when csrf=False. Setup: (1) Payment gateway (Stripe/PayPal) and your server share secret key (WEBHOOK_SECRET environment variable), (2) Gateway calculates signature: HMAC-SHA256(webhook_body, secret), includes in header (X-Webhook-Signature or Stripe-Signature), (3) Your server receives webhook, calculates expected signature using same method, (4) Compares signatures using timing-safe comparison (hmac.compare_digest). Implementation: signature = request.headers.get('X-Webhook-Signature'), body = request.get_data(), secret = os.environ.get('WEBHOOK_SECRET'), expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest(), if not hmac.compare_digest(signature, expected): return 403 Invalid. Why timing-safe: Regular == comparison reveals timing information attackers can exploit, hmac.compare_digest takes constant time regardless of where strings differ. Why it works: Only sender with secret key can generate valid signature, attacker without secret can't fake signature, validates request came from legitimate source. Common patterns: Stripe uses stripe.Webhook.construct_event (built-in verification), PayPal sends signature in PayPal-Transmission-Sig header. Result: Webhook security equivalent to CSRF protection without needing session tokens.

Disabling CSRF without alternative security causes account hijacking, unauthorized transactions, data modification = $200k-$1M damages. Attack scenarios: (1) Unauthorized order deletion (attacker sends form deleting customer orders), (2) Address modification (change delivery to attacker's address), (3) Payment method changes (add attacker's card), (4) Account takeover (change email/password), (5) Fraudulent orders (place orders using victim's account). Real damages: Customer data corrupted, trust destroyed, chargebacks from unauthorized transactions, GDPR violations (unauthorized data access), legal liability, brand reputation damage. Financial impact: $200k-$1M in direct losses (fraudulent transactions, chargebacks), customer lifetime value loss (customers leave after breach), regulatory fines (GDPR €20M or 4% revenue), incident response costs ($50k-$200k forensics and remediation). Why it's preventable: Odoo CSRF protection is automatic (zero cost), alternative security (JWT, signatures) takes 1-2 hours to implement, monitoring unauthorized attempts is straightforward. Pattern we see: Developer disables CSRF because "webhook doesn't work", skips signature verification "for now", forgets to add it back, attacker finds endpoint, exploits it. Prevention: Never use csrf=False without implementing signature verification, JWT tokens, or other strong authentication.