#15 Documentation: csrfguard.properties improvement

* fixing a typo in the documentation
* syncing the test Owasp.CsrfGuard.properties file with the production one

csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties

@@ -31,6 +31,8 @@ org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.ov
 
 org.owasp.csrfguard.JavascriptServlet.refererPattern = http://localhost:80.*
 
+org.owasp.csrfguard.TokenPerPagePrecreate = true
+
 ################################################################################
 #### Scenario: everything is protected, except the resources enlisted below ####
 ################################################################################

csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties

@@ -141,7 +141,7 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP
 # CSRFGuard to utilize the unique token per-page model:
 org.owasp.csrfguard.TokenPerPage = true
-org.owasp.csrfguard.TokenPerPagePrecreate = true
+org.owasp.csrfguard.TokenPerPagePrecreate = false
 
 ####################
 ## Token Rotation ##
@@ -155,8 +155,14 @@ org.owasp.csrfguard.TokenPerPagePrecreate = true
 # an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress
 # (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages
 # containing FORM submissions using the cache-control header. However, this may also introduce
-# performance problems as the browser will have to request HTML on a more frequent basis. The following
-# configuration snippet enables token rotation:
+# performance problems as the browser will have to request HTML on a more frequent basis.
+#
+# Note: Rotation in case of AJAX requests is not supported currently because of possible race conditions.
+# A Single Page Application can fire multiple simultaneous requests. If rotation is enabled for AJAX requests,
+# the first request could trigger a token change before the validation of the same token within the second request,
+# causing false-positive CSRF intrusion exceptions.
+#
+# The following configuration snippet enables token rotation:
 #
 # org.owasp.csrfguard.Rotate = true
 
@@ -181,9 +187,9 @@ org.owasp.csrfguard.TokenPerPagePrecreate = true
 # correctness of the X-Requested-With and custom headers:
 org.owasp.csrfguard.Ajax = true
 
-######################
-## Protecting Pages ##
-######################
+#######################
+## Protecting Pages  ##
+#######################
 # The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
 # If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
 # All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
@@ -228,17 +234,17 @@ org.owasp.csrfguard.Ajax = true
 # Regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex:
 # org.owasp.csrfguard.unprotected.PublicServlet = ^%servletContext%/.*Public\.do$
 
-#org.owasp.csrfguard.unprotected.Default = %servletContext%/
-#org.owasp.csrfguard.unprotected.Upload = %servletContext%/upload.html
-#org.owasp.csrfguard.unprotected.JavaScriptServlet = %servletContext%/JavaScriptServlet
-#org.owasp.csrfguard.unprotected.Ajax = %servletContext%/ajax.html
-#org.owasp.csrfguard.unprotected.Error = %servletContext%/error.html
-#org.owasp.csrfguard.unprotected.Index = %servletContext%/index.html
-#org.owasp.csrfguard.unprotected.JavaScript = %servletContext%/javascript.html
-#org.owasp.csrfguard.unprotected.Tag = %servletContext%/tag.jsp
-#org.owasp.csrfguard.unprotected.Redirect = %servletContext%/redirect.jsp
-#org.owasp.csrfguard.unprotected.Forward = %servletContext%/forward.jsp
-#org.owasp.csrfguard.unprotected.Session = %servletContext%/session.jsp
+# org.owasp.csrfguard.unprotected.Default = %servletContext%/
+# org.owasp.csrfguard.unprotected.Upload = %servletContext%/upload.html
+# org.owasp.csrfguard.unprotected.JavaScriptServlet = %servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Ajax = %servletContext%/ajax.html
+# org.owasp.csrfguard.unprotected.Error = %servletContext%/error.html
+# org.owasp.csrfguard.unprotected.Index = %servletContext%/index.html
+# org.owasp.csrfguard.unprotected.JavaScript = %servletContext%/javascript.html
+# org.owasp.csrfguard.unprotected.Tag = %servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.Redirect = %servletContext%/redirect.jsp
+# org.owasp.csrfguard.unprotected.Forward = %servletContext%/forward.jsp
+# org.owasp.csrfguard.unprotected.Session = %servletContext%/session.jsp
 
 ####################################
 ## Actions: Responding to Attacks ##
@@ -271,7 +277,7 @@ org.owasp.csrfguard.Ajax = true
 # of "%servletContext%/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The
 # Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when
 # an attack is detected.
-#org.owasp.csrfguard.action.Empty = org.owasp.csrfguard.action.Empty
+# org.owasp.csrfguard.action.Empty = org.owasp.csrfguard.action.Empty
 #
 # org.owasp.csrfguard.action.Invalidate = org.owasp.csrfguard.action.Invalidate
 #
@@ -292,8 +298,8 @@ org.owasp.csrfguard.action.Rotate = org.owasp.csrfguard.action.Rotate
 
 # Extension modules can add their own actions. Please refer to their documentation to see what actions can be added.
 # Extension provided actions should be added through a configuration overlay.
-#org.owasp.csrfguard.action.SessionAttribute = org.owasp.csrfguard.action.SessionAttribute
-#org.owasp.csrfguard.action.SessionAttribute.AttributeName = Owasp_CsrfGuard_Exception_Key
+# org.owasp.csrfguard.action.SessionAttribute = org.owasp.csrfguard.action.SessionAttribute
+# org.owasp.csrfguard.action.SessionAttribute.AttributeName = Owasp_CsrfGuard_Exception_Key
 
 ################
 ## Token Name ##
@@ -346,7 +352,7 @@ org.owasp.csrfguard.Config.Print = true
 # Use of this property and the existence of the specified template file is required.
 org.owasp.csrfguard.JavascriptServlet.sourceFile =
 
-# Boolean value that determines whether or not the dynamic JavaScript code should be strict 
+# Boolean value that determines whether or not the dynamic JavaScript code should be strict
 # with regards to what links it should inject the CSRF prevention token. With a value of true, 
 # the JavaScript code will only place the token in links that point to the same exact domain 
 # from which the HTML originated. With a value of false, the JavaScript code will place the 
@@ -499,5 +505,6 @@ org.owasp.csrfguard.PageTokenSynchronizationTolerance = 2000
 # "forceSynchronousAjax" property below, until there is browser support for it.
 #
 # Defaults to False.
+# Note: it is only enabled for the demo application, for testing purposes.
 #
 org.owasp.csrfguard.forceSynchronousAjax = false

csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java

@@ -272,10 +272,10 @@ public String toString() {
     }
 
     /**
-     * Rotation in case of AJAX requests is not currently not supported because of the possible race conditions.
+     * Rotation in case of AJAX requests is not supported currently because of possible race conditions.
      * <p>
      * A Single Page Application can fire multiple simultaneous requests.
-     * If rotation is enabled, the first request might trigger a token change before the validation of the second request with the same token, causing
+     * If rotation is enabled for AJAX requests, the first request could trigger a token change before the validation of the second request with the same token, causing
      * false-positive CSRF intrusion exceptions.
      *
      * @param request the current request

csrfguard/src/main/resources/csrfguard.properties

@@ -157,9 +157,9 @@ org.owasp.csrfguard.TokenPerPagePrecreate = false
 # containing FORM submissions using the cache-control header. However, this may also introduce
 # performance problems as the browser will have to request HTML on a more frequent basis.
 #
-# Note: Rotation in case of AJAX requests is not currently not supported because of the possible race conditions.
-# A Single Page Application can fire multiple simultaneous requests. If rotation is enabled,
-# the first request might trigger a token change before the validation of the same token within the second request,
+# Note: Rotation in case of AJAX requests is not supported currently because of possible race conditions.
+# A Single Page Application can fire multiple simultaneous requests. If rotation is enabled for AJAX requests,
+# the first request could trigger a token change before the validation of the same token within the second request,
 # causing false-positive CSRF intrusion exceptions.
 #
 # The following configuration snippet enables token rotation:
@@ -504,6 +504,4 @@ org.owasp.csrfguard.PageTokenSynchronizationTolerance = 2000
 # "forceSynchronousAjax" property below, until there is browser support for it.
 #
 # Defaults to False.
-# Note: it is only enabled for the demo application, for testing purposes.
-#
 org.owasp.csrfguard.forceSynchronousAjax = false