Enabling Cross Site Request Forgery (CSRF) Protection

Aurea CRM.Web provides the element <EnableCsrfProtection/> in the settings.xml file that can be set to true to enable CSRF protection. Aurea CRM.Web uses the Cookie-to-Header Token method to prevent cross site forgery attacks. This method relies on the same origin policy, which ensures that JavaScript within the same origin can read the cookie’s values.

This method uses a random header token that is generated by the server when a user logs in and is included by the client in all its request to the server for the duration of this session. JavaScript that belongs to the same origin on the client side can read this token value and include it in the custom header when it sends a transaction request. The assumption here is that the javascript running from a rogue file does not have the X-Csrf-Token header, because it cannot read the Csrf-token cookie, as it is not from the same origin. Consequently its transaction request is not honored by CRM.Web and the CSRF attack fails.