Enabling Cross Site Request Forgery (CSRF) Protection
Aurea CRM.Web provides the element <EnableCsrfProtection/>
in the
settings.xml file that can be set to true to enable CSRF protection. Aurea
CRM.Web uses the Cookie-to-Header Token method to prevent cross site forgery attacks. This
method relies on the same origin policy, which ensures that JavaScript within the same
origin can read the cookie’s values.
This method uses a random header token that is generated by the server when a user logs in and is included by the client in all its request to the server for the duration of this session. JavaScript that belongs to the same origin on the client side can read this token value and include it in the custom header when it sends a transaction request. The assumption here is that the javascript running from a rogue file does not have the X-Csrf-Token header, because it cannot read the Csrf-token cookie, as it is not from the same origin. Consequently its transaction request is not honored by CRM.Web and the CSRF attack fails.
false
by default. All customer side
extension software (including client browsers) that send requests to CRM.Web must be adapted to
use the Cookie-to-Header Token method before enabling this option.- Cross-site request forgery for the Cookie-to-Header Token method
- Same-origin policy