(Auto-creation of topic Documentation:HTCC:Dep:CSRFProtection:8.5.2DRAFT via TOC Documentation:HTCC:DepTOC8.5.2DRAFT) |
|||
| Line 1: | Line 1: | ||
| − | = | + | =Cross Site Request Forgery Protection= |
| + | |||
| + | |||
| + | ==Overview== | ||
| + | Genesys Web Services provides protections against Cross Site Request Forgery (CSRF) attacks. | ||
| + | |||
| + | For general information and background on CSRF see [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet]. | ||
| + | |||
| + | ==Setup== | ||
| + | To set up Cross Site Request Forgery Protection, two new configuration options were introduced to the <tt>server-settings.yaml</tt> file. | ||
| + | |||
| + | {| | ||
| + | ! Option | ||
| + | ! Description | ||
| + | |- | ||
| + | | enableCsrfProtection | ||
| + | | (true/false) Determines whether CSRF protections should be enabled for the GWS node. | ||
| + | |- | ||
| + | | exposedHeaders | ||
| + | | A comma separated list of headers to include in Access-Control-Expose-Headers. | ||
| + | |} | ||
| + | |||
| + | ===Example=== | ||
| + | <pre> | ||
| + | enableCsrfProtection: true | ||
| + | crossOriginSettings: | ||
| + | corsFilterCacheTimeToLive: 120 | ||
| + | allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090 | ||
| + | allowedMethods: GET,POST,PUT,DELETE,OPTIONS | ||
| + | allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN" | ||
| + | allowCredentials: true | ||
| + | exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN" | ||
| + | </pre> | ||
| + | |||
| + | As you can see from the example provided, <tt>X-CSRF-TOKEN</tt> has been added to the default allowed headers. | ||
| + | |||
| + | Link to [[Documentation:HTCC:API:Welcome:8.5.2DRAFT|API samples]] | ||
| + | |||
[[Category:V:HTCC:8.5.2DRAFT]] | [[Category:V:HTCC:8.5.2DRAFT]] | ||
Revision as of 14:33, August 12, 2014
Cross Site Request Forgery Protection
Overview
Genesys Web Services provides protections against Cross Site Request Forgery (CSRF) attacks.
For general information and background on CSRF see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.
Setup
To set up Cross Site Request Forgery Protection, two new configuration options were introduced to the server-settings.yaml file.
| Option | Description |
|---|---|
| enableCsrfProtection | (true/false) Determines whether CSRF protections should be enabled for the GWS node. |
| exposedHeaders | A comma separated list of headers to include in Access-Control-Expose-Headers. |
Example
enableCsrfProtection: true
crossOriginSettings:
corsFilterCacheTimeToLive: 120
allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
allowedMethods: GET,POST,PUT,DELETE,OPTIONS
allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
allowCredentials: true
exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"
As you can see from the example provided, X-CSRF-TOKEN has been added to the default allowed headers.
Link to API samples
Comments or questions about this documentation? Contact us for support!