Jump to: navigation, search
Line 1: Line 1:
=CSRF Protection=
+
=CSRF protection=
 
__TOC__
 
__TOC__
==Overview==
+
Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the {{#Widget:ExtLink|link=https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet|displaytext=OWASP CSRF Prevention Cheat Sheet}}.
Workspace Web Edition & Web Services provides protection against Cross Site Request Forgery (CSRF) attacks.
 
 
 
For general information and background on CSRF see [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet].
 
  
 
==Setup==
 
==Setup==
To set up Cross Site Request Forgery Protection, two new configuration options were introduced to the <tt>server-settings.yaml</tt> file.
+
To set up Cross Site Request Forgery protection, two new configuration options were introduced to the <tt>server-settings.yaml</tt> file.
  
 
{|
 
{|
Line 34: Line 31:
 
Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]]
 
Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]]
  
==Next Step==
+
==Next step==
*[[Security|Back to Configuring Security]]
+
*[[Security|Back to Configuring security]]
  
 
[[Category:V:HTCC:8.5.2DRAFT]]
 
[[Category:V:HTCC:8.5.2DRAFT]]

Revision as of 16:59, December 9, 2015

CSRF protection

Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the OWASP CSRF Prevention Cheat Sheet.

Setup

To set up Cross Site Request Forgery protection, two new configuration options were introduced to the server-settings.yaml file.

Option Description
enableCsrfProtection (true/false) Determines whether CSRF protections should be enabled for the GWS node.
exposedHeaders A comma separated list of headers to include in Access-Control-Expose-Headers.

Example

enableCsrfProtection: true
crossOriginSettings:
    corsFilterCacheTimeToLive: 120
    allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
    allowedMethods: GET,POST,PUT,DELETE,OPTIONS
    allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
    allowCredentials: true
    exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"

Link to API documentation and examples

Next step

Comments or questions about this documentation? Contact us for support!